TZUTC: -0500   
   MSGID: 1945.consprcy@1:2320/105 2dc7a13e   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   North Korean hackers using malicious QR codes in spear phishing, FBI warns   
      
   Date:   
   Fri, 09 Jan 2026 20:40:00 +0000   
      
   Description:   
   Kimsuky's latest attacks can bypass email protections and MFA to steal M365   
   and VPN accounts.   
      
   FULL STORY   
      
   North Koreans are targeting US government institutions, think tanks, and   
   academia with highly sophisticated QR code phishing, or 'quishing' attacks,   
   going for their Microsoft 365, Okta, or VPN credentials.    
      
   This is according to the Federal Bureau of Investigation (FBI) which recently   
   published a new Flash report, warning both domestic and international    
   partners about the ongoing campaign.    
      
   In the report, it said that a threat actor known as Kimsuky is sending out   
   convincing email lures, containing images with QR codes. Since the images are   
   more difficult to scan and deem malicious, the emails bypass protections more   
   easily and land in peoples inboxes.   
      
   Stealing session tokens and login credentials   
      
   The FBI also said that corporate computers are generally well protected, but   
   QR codes are most easily scanned with mobile phones - unmanaged devices   
   outside normal Endpoint Detection and Response (EDR) and network inspection   
   boundaries. This too makes the attacks more likely to succeed.    
      
   When the victim scans the code, they are sent through multiple redirectors   
   that collect different information and identity attributes, such as   
   user-agent, operating system, IP address, locale, and screen size. This data   
   is then used to land the victim on a custom-built credential-harvesting page,   
   impersonating Microsoft 365, Okta, or VPN portals.    
      
   If the victim does not spot the trick and tries to log in, the credentials   
   would end up with the attackers. Whats more - these attacks often end with   
   session token theft and replay, allowing the threat actors to bypass   
   multi-factor authentication ( MFA ) and hijack cloud accounts without   
   triggering the usual MFA failed alert.    
      
   Adversaries then establish persistence in the organization and propagate   
   secondary spearphishing from the compromised mailbox, the FBI further stated.   
   Because the compromise path originates on unmanaged mobile devices outside   
   normal Endpoint Detection and Response (EDR) and network inspection   
   boundaries, quishing is now considered a high-confidence, MFA-resilient   
   identity intrusion vector in enterprise environments.    
      
   To defend against Kimsukys advanced quishing attacks, the FBI recommends a   
   multi-layered security strategy, which includes employee education, setting    
   up clear protocols for reporting suspicious QR codes, deploying mobile device   
   management (MDM) capable of analyzing QR linked URLs, and more.    
      
    Via The Hacker News    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/north-korean-hackers-using-malicious-qr   
   -codes-in-spear-phishing-fbi-warns   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 275 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 633/280 712/848 902/26 2320/0 105 107 304 3634/12   
   SEEN-BY: 5075/35   
   PATH: 2320/105 229/426