State-backed attackers are using QR codes to slip past enterprise security and help themselves to cloud logins, the FBI says

North Korean government hackers are turning QR codes into credential-stealing weapons, the FBI has warned, as Pyongyang's spies find new ways to duck enterprise security and help themselves to cloud logins.

In an advisory published this week, the agency said the Nork-linked "Kimsuky" group has been embedding malicious URLs inside QR codes delivered in carefully-crafted spear phishing emails, a technique the industry is now calling "quishing." 

When a target scans the booby-trapped code, usually on a phone that security teams have little visibility into, they are redirected to attacker-run pages posing as Microsoft 365, Okta, or VPN portals, where credentials and session tokens are quietly stolen and later reused to bypass multi-factor authentication.

The FBI said these campaigns, seen throughout 2025, have targeted thinktanks, academic institutions, and US and foreign government organizations connected to North Korea policy, foreign affairs, and national security. 

The emails themselves don't look especially ...