Executive Summary
A sustained quishing (QR-code phishing) campaign conducted by the North Korea–linked APT group Kimsuky (aka Larva-24005) has been actively targeting government, defense, and critical infrastructure organizations. According to a recent FBI warning, Kimsuky operators embed malicious QR codes in emails and documents to redirect victims to attacker-controlled infrastructure, enabling credential harvesting, malware delivery, and long-term espionage access. By avoiding traditional clickable URLs, the campaign bypasses many email security controls and shifts exploitation to mobile devices, where victims are redirected to fake authentication portals or payload delivery pages. This activity highlights Kimsuky’s continued evolution toward low-noise, socially engineered initial access techniques aligned with strategic intelligence collection objectives.
Background on APT Kimsuky
Kimsuky is a long-running state-sponsored cyber-espionage group assessed to operate on behalf of the Democratic People’s Republic of Korea (DPRK). Active since at least 2012, Kimsuky has historically focused on:
- Intelligence collection
- Strategic policy research theft
- Credential harvesting
- Surveillance of diplomats, academics, journalists, and defense contractors
Kimsuky is known for persistent social engineering, often impersonating trusted institutions, media organizations, or government agencies. The recent quishing campaigns represent a tactical shift toward mobile-assisted compromise, reducing reliance on traditional malware-laden attachments.
Campaign Details – Quishing Attacks
Threat Type: QR-code phishing (Quishing)
Primary Objective: Credential harvesting and espionage access
Victim Profile: Government officials, policy researchers, defense sector personnel
Key Characteristics
- QR codes embedded in:
- Emails
- PDF documents
- HTML attachments
- QR codes redirect victims to:
- Fake Microsoft 365 login portals
- Credential harvesting sites
- Secondary phishing pages
- Scanning typically occurs on personal or unmanaged mobile devices, evading enterprise endpoint protections
Vulnerability Details
Key CVEs Observed in Related Larva-24005 Activity
| CVE | Vulnerability | Affected Versions | CVSS Score | EPSS Score |
|---|---|---|---|---|
| CVE-2019-0708 | Remote Code Execution (BlueKeep – RDP) | Windows 7, Windows Server 2008, Windows Server 2008 R2 | 9.8 | 94.7% |
| CVE-2017-11882 | Remote Code Execution (Office Equation Editor) | Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 | 7.8 | 91.6% |
Infection Method
Initial Access – QR Code Social Engineering
- Victim receives an email themed as:
- Official notices
- Event invitations
- Security alerts
- Embedded QR code replaces clickable URL
Credential Harvesting
- QR code leads to attacker-controlled login page
- Victim enters corporate or personal credentials
- Credentials transmitted to Kimsuky C2 infrastructure
Account Compromise
- Stolen credentials reused for:
- Email access
- Cloud services
- VPN portals
- Enables persistent espionage access
Follow-On Activity
- Targeted surveillance
- Lateral access into associated accounts
- Potential malware delivery in later stages (historically observed)
Malware Behavior and Capabilities
While the FBI alert emphasizes credential harvesting, Kimsuky operations historically include:
- Living-off-the-Land (LotL) Techniques
- Email Account Takeover
- Cloud-based Persistence
- Secondary malware deployment
- Long-term intelligence exfiltration
The quishing campaign serves as a stealthy initial access vector, reducing immediate indicators of compromise.
Techniques Observed (MITRE ATT&CK Mapping)
T1566.002 – Phishing: QR Codes: Kimsuky delivers malicious QR codes embedded in phishing emails and documents, redirecting victims to attacker-controlled infrastructure for credential harvesting while bypassing traditional email security controls.
T1204.001 – User Execution: Malicious Link: Victims manually scan QR codes using mobile devices, triggering redirection to fraudulent authentication portals or secondary phishing pages.
T1078 – Valid Accounts: Stolen credentials are used to authenticate to legitimate email, cloud, and collaboration services, enabling persistent access without deploying malware.
T1110.003 – Credential Stuffing / Password Reuse: Harvested credentials are tested across multiple services and accounts to expand access and identify additional valid entry points.
T1071.001 – Application Layer Protocol: Web: Kimsuky uses standard HTTPS web traffic to transmit harvested credentials and interact with command-and-control infrastructure, blending malicious activity with normal web traffic.
T1087 – Account Discovery: After account compromise, operators enumerate accessible users, mailboxes, and cloud identities to identify high-value targets and expand espionage coverage.
T1041 – Exfiltration Over C2 Channel: Collected credentials, authentication tokens, and intelligence data are exfiltrated over established web-based C2 channels.
Indicators of Compromise (IOCs)
Email & Content Indicators
- QR codes embedded in: PDFs, HTML email bodies, Office documents
- Emails impersonating: Government agencies, Research organizations, Conference organizers
Network Indicators
- Redirections from QR scans to: Newly registered domains, Short-lived hosting infrastructure
- Mobile-originated authentication attempts from anomalous locations
Authentication Signals
- MFA fatigue prompts
- Login attempts shortly after QR code scans
- Suspicious OAuth consent grants
Mitigation Steps
Immediate Actions (Within Hours)
1. Patch & Update Systems (RDP & Office): Ensure Windows hosts are patched against CVE-2019-0708 (“BlueKeep”) and apply the latest Office security updates to close CVE-2017-11882 and related RCE vectors.
2. Harden Identity Services: Enforce phishing-resistant multi-factor authentication and conditional access policies; discourage credential submission via links/QR codes without verification.
3. Mobile & Email Controls: Deploy mobile device management (MDM) capable of inspecting QR-linked URLs; train staff to treat unsolicited QR codes as high-risk.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.