The FBI issued a high priority advisory that DPRK‑linked APT Kimsuky has embedded malicious URLs in QR codes delivered via spear‑phishing to evade email and URL inspection. The bureau urged at‑risk organizations to tighten MFA, mobile device controls and user cautions about scanning QR codes.

On January 8, 2026, the FBI released a flash warning that Kimsuky, a North Korea‑linked advanced persistent threat, adopted 'quishing' tactics that embed malicious URLs in QR codes inside spear‑phishing emails and attachments. By directing targets to scan QR codes with mobile devices, attackers can avoid enterprise email and URL filtering, harvest session tokens, and in some cases bypass multifactor authentication to take over cloud accounts. The advisory highlighted targeted sectors such as non‑governmental organizations, think tanks, academic institutions, and human rights researchers, and described follow‑on activity that included lateral movement and credential reuse. The bureau recommended enforcing risk‑based MFA policies that resist token theft, restricting QR scanning on corporate devices, applying zero trust access controls, and conducting phishing awareness and incident response exercises. The FBI also urged rapid reporting and information sharing so defenders can block observed infrastructure and mitigate token exposure. Security outlets reiterated the warning while examining telemetry and mitigation best practices for enterprise defenders.