Kimsuky APT Quishing Attacks Targeting Microsoft 365 and Google Workspace
The FBI, CISA, and NSA have issued warnings about a surge in spear-phishing campaigns conducted by the North Korean state-sponsored threat group Kimsuky (APT43), which leverage malicious QR codes—known as quishing—to target high-value individuals in government, academia, think tanks, and foreign policy organizations. These attacks embed QR codes in phishing emails, which, when scanned, redirect victims to credential harvesting sites or initiate malware downloads, often bypassing traditional email security controls and exploiting the relative insecurity of mobile devices. Kimsuky’s campaigns are characterized by highly personalized lures, extensive reconnaissance, and a focus on intelligence gathering, with observed targeting of Microsoft 365 and Google Workspace accounts.
Quishing attacks are effective because QR codes can evade standard email security measures such as URL inspection and sandboxing, and they obscure the true destination from the user. Once a victim scans the QR code, attackers can collect device and identity attributes, present mobile-optimized phishing pages impersonating legitimate portals (such as Microsoft 365 or Okta), and steal credentials or session tokens—sometimes bypassing multi-factor authentication. The campaigns have been observed globally and represent a significant evolution in Kimsuky’s social engineering and credential theft operations, prompting urgent mitigation guidance from U.S. federal agencies and security researchers.
Related Entities
Threat Actors
Organizations
Sources
Related Stories
Kimsuky Delivers DocSwap Android Malware via QR Code Phishing Impersonating Delivery Services
The North Korean state-sponsored threat group Kimsuky has launched a sophisticated campaign distributing a new variant of the DocSwap Android malware. Attackers use phishing sites that impersonate legitimate delivery services, particularly Seoul-based CJ Logistics, to lure victims. The campaign leverages QR codes and notification pop-ups to trick users into installing a malicious APK, often named `SecDelivery.apk`, on their mobile devices. Victims are typically targeted through smishing messages or phishing emails containing links to these fake delivery tracking sites. When accessed from a desktop, the site displays a QR code, prompting users to scan it with their Android device, which then initiates the malware download. The malicious app decrypts an embedded encrypted APK and launches a service with remote access trojan (RAT) capabilities, requesting extensive permissions to access files, SMS, phone, and location data. Security researchers have observed that the campaign employs advanced evasion techniques, such as device-type detection and server-side logic to serve different content based on the user's platform. The malware variant features improvements over previous DocSwap versions, including a new native decryption function and enhanced decoy behaviors. The infrastructure supporting the campaign is linked to a command and control server at `27.102.137[.]181`, and the phishing lures are designed to bypass Android's default security warnings by impersonating official apps and security modules. This campaign highlights the evolving tactics of Kimsuky in targeting South Korean users and the growing threat of QR code-based phishing for mobile malware delivery.
2 months agoQuantum Route Redirect Phishing Platform Targets Microsoft 365 Users
A new phishing-as-a-service (PhaaS) platform called **Quantum Route Redirect** has emerged, enabling cybercriminals to launch sophisticated credential harvesting campaigns against Microsoft 365 users worldwide. The platform dramatically lowers the technical barrier for attackers by providing a pre-configured phishing kit and a network of around 1,000 domains, allowing even less skilled threat actors to conduct large-scale phishing operations with minimal effort. Attackers use a variety of email lures, including DocuSign impersonations, payroll notifications, payment alerts, and missed voicemail messages, to direct victims to credential harvesting pages managed by the Quantum Route Redirect system. The phishing kit automates the entire attack chain, from rerouting traffic to malicious domains to filtering out automated security tools using built-in bot detection. URLs used in these campaigns follow a consistent pattern and are often hosted on parked or compromised legitimate domains, increasing the likelihood of bypassing security controls and deceiving targets. The majority of observed attacks have targeted users in the United States, but incidents have been recorded in over 90 countries. The platform's dashboard provides real-time statistics to operators, further streamlining the management and effectiveness of global phishing campaigns.
4 months ago
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
1 weeks ago