Overview
- The alert attributes the campaigns to Kimsuky (APT43) and focuses on U.S. organizations involved in North Korea policy, including think tanks, academic institutions, NGOs, strategic advisory firms, and government entities.
- The FBI details May–June 2025 incidents that spoofed advisors, embassy staff, and think tank employees, including a fake conference invite that funneled a strategic advisory firm to a counterfeit Google login page.
- Victims scanning embedded QR codes are routed through attacker-controlled infrastructure that fingerprints devices and serves phishing pages impersonating Microsoft 365, Okta, VPN portals, or Google.
- The bureau classifies quishing as an MFA-resilient identity intrusion vector because compromises often originate on personal mobile devices outside enterprise EDR and network inspection.
- Recommended defenses include training employees on QR risks, verifying QR sources, deploying mobile device management, enforcing phishing-resistant MFA, and reporting incidents to FBI Cyber Squads or the IC3 portal.