Kim Jong Un in Your Smartphone: One QR Code Scan and You’ve Personally Let a Spy Past Corporate Defenses
How Hackers Turned an Innocent QR Code into a ‘Trojan Horse’ That Security Systems Completely Overlook
How Hackers Turned an Innocent QR Code into a ‘Trojan Horse’ That Security Systems Completely Overlook
North Korean hackers have begun actively using QR codes to steal credentials and bypass corporate security. The FBI issued a warning about this new tactic, linking it to the Kimsuky group, which U.S. intelligence agencies believe is affiliated with the DPRK authorities.
This is a variation of QR-phishing. In such attacks, the malicious link is not hidden in the text of an email but embedded within a QR code. Malicious actors send carefully crafted emails and rely on the recipient scanning the code with a smartphone—a device that often falls outside the scope of corporate security tools.
After scanning, the victim is redirected to a fake login page impersonating popular services like Microsoft 365, Okta, or corporate VPN portals. The entered usernames, passwords, and active session data are stealthily intercepted and later used to regain access to systems, including bypassing MFA (multi-factor authentication).
According to the FBI, such campaigns have been observed throughout 2025. The primary targets have been think tanks, academic institutions, and government or quasi-governmental organizations in the United States and abroad, focusing on issues related to North Korea, foreign policy, and national security.
The emails themselves appear quite plausible. They may include invitations to events, requests for comments on analytical materials, or professional correspondence on relevant topics. The catch is only discovered after scanning the QR code, when the user lands on a resource controlled by the attackers. Once they gain access to an account, attackers sometimes continue phishing campaigns from the compromised employee’s identity.
QR-phishing is particularly dangerous because it effectively bypasses conventional email protection measures. Email filters and link analysis systems cannot “look inside” a graphic QR code. If the code is scanned using a personal or poorly secured mobile device, the security team may only notice the breach after the fact.
The FBI recommends that organizations reassess their approach to QR codes and avoid thoughtless usage practices. It specifically emphasizes the need to treat smartphones and tablets as full-fledged endpoints and to implement mechanisms for verifying QR links before users open them.
This new technique fits into the broader picture of cyber activity linked to Pyongyang. Previously, researchers reported on another North Korean group—KONNI—which abused the Google Find My Device feature to remotely reset compromised Android devices to factory settings. This allowed them to simultaneously erase traces of espionage activity and deprive owners of access to their phones.
KONNI has also been observed distributing malware via PDFs and documents. According to Genians, this group’s infrastructure partially overlaps with resources used by other North Korean teams, including Kimsuky.
As in many other cases, the key risk factor here is not a complex technical vulnerability but trust in familiar and seemingly harmless things. Even an ordinary QR code can become an entry point for a serious attack.
