Kimsuky APT Quishing Attacks
BLUF
The North Korea-linked APT group Kimsuky is actively targeting government, think tanks, and academic institutions using "quishing" (QR code phishing) attacks to harvest credentials and perform espionage.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by Kimsuky APT quishing (QR code phishing) attacks leading to credential compromise and follow-on access:
Low-end total cost: $700,000 – $1.5M
(Isolated credential exposure, rapid detection, limited lateral movement)Typical expected range: $1.5M – $3.5M
(Multiple accounts compromised, short-term persistence, operational disruption)Upper-bound realistic scenarios: $3.5M – $6M+
(Extended dwell time, sensitive data access, regulatory and strategic fallout)
Key Cost Drivers:
Scope of credential compromise across privileged and executive accounts
Duration of attacker persistence before detection and containment
Sensitivity of accessed communications, research, or policy data
Scale of workforce disruption during access resets and investigations
Regulatory and stakeholder response requirements for espionage-linked incidents
Potential Affected Sectors
· Government
· Academic institutions
· Think tanks
Targeted Countries
· Global
o Direct mention of the United States
Date of First Reported Activity
· January 10, 2026
Date of Last Reported Activity Update
· January 10, 2026
CVEs and CVSS Vectors 3.1
· No specific CVEs mentioned with campaign
o social engineering (phishing).
Nessus ID
· Not applicable
Is this on the KEV list
Not applicable
Mitigation Data
· Focus on user awareness training for quishing attacks.
· Implement robust email filtering and authentication, and consider disabling QR code rendering in email clients if possible.
· Mandate strong MFA and enforce security policies.
APT Names
· Kimsuky (North Korea-linked)
Associated Criminal Organization Names
· This has not been associated with a criminal group at this time.
IOCs
Key Indicators of Compromise (IOCs)
While specific quishing-related domains rotate frequently, the following indicators have been associated with recent 2025–2026 Kimsuky campaigns:
Infrastructure & Domains:
· article-com[.]eu
· naverbox.pe[.]kr (often used to mimic legitimate Korean portals)
· nid-security[.]com
· spo.go[.]kr (spoofed South Korean government domain)
· tw.systexcloud[.]com
· 185.235.128.114 and 92.119.114.128 (linked to PowerShell-based XWorm RAT execution)
Malware Hashes (SHA-256):
· 081804B491C70BFA63ECDBE9FD4618D3570706AD8B71DBA13E234069648E5E48
· 492A643BD1EFDACA4CA125ADE1B606E7BBF00E995AC9115AC84D1C4C59CB66DD
· 87e8287509a79099170b5b6941209b5787140a8f6182d460618d4ed93418aff9
User-Agent Signatures:
· The group often uses distinctive Internet Explorer 11 (IE11) user-agent strings for mobile-optimized credential harvesting.
Tools Used in Campaign
Once initial access is gained through quishing or related exploitation, Kimsuky often deploys the following tools
· KimaLogger
o A keylogger used in late-stage infection to record user keystrokes.
· RandomQuery
o A longstanding Kimsuky malware used for both information harvesting and keylogging.
· RDPWrap
o A tool utilized to maintain remote access by enabling multiple concurrent RDP sessions on compromised hosts.
TTPs
Initial Access & Social Engineering
· T1660 QR Code
o Adversaries deliver malicious URLs embedded in QR codes to bypass email security controls that typically inspect links or attachments.
· T1566.002 Spearphishing Link
o QR codes are often delivered via highly tailored spear-phishing emails that impersonate trusted figures like foreign advisors or embassy staff.
· T1204 User Execution
o Attackers rely on the victim scanning the QR code with their mobile device to initiate the malicious redirect.
Reconnaissance & Information Gathering
· T1598 Phishing for Information
o The attack often begins with extensive reconnaissance using open-source intelligence to identify high-value targets.
· T1589 Gather Victim Identity Information
o After a scan, attacker-controlled redirectors collect device attributes like user-agent, OS, IP address, and locale to serve mobile-optimized pages.
Credential Access & Persistence
· T1056.003 Input Capture
o Web Filling Form: Victims are redirected to fake login pages (e.g., Microsoft 365, Google, Okta) designed to harvest credentials.
· T1550.004 Use Alternate Authentication Material
o Web Session Cookie: Kimsuky may steal session tokens during the phishing process to bypass multi-factor authentication (MFA) and replay the session to gain access to cloud accounts.
· T1098 Account Manipulation
o Once access is gained, attackers may manipulate accounts to establish long-term persistence.
Command and Control & Exfiltration
· T1071 Application Layer Protocol
o The group uses standard web protocols (HTTP/HTTPS) for communication with command-and-control (C2) infrastructure.
· T1567.002 Exfiltration Over Web Service
o Sensitive data and exfiltrated documents are often moved over established web services to blend in with legitimate traffic.
Malware Names
· DocSwap
o A recently identified Android Remote Access Trojan (RAT) distributed via QR codes on fake logistics websites. It provides full remote access to a mobile device, including calls, messages, cameras, and microphones.
· MySpy
o A malware strain deployed after initial access to maintain control and perform surveillance.
· EndClientRAT
o A sophisticated RAT observed in tandem with quishing campaigns for long-term persistence.
Malware Samples
DocSwap
sha256
bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e
URL to Sample
· hxxps://www.virustotal.com/gui/file/bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e
MySpy
sha256
73aab51f08983a2da5286b3a0849f3101ec7b95336898afc797a97d8615a15b3
URL to Sample
· hxxps://www.virustotal.com/gui/file/73aab51f08983a2da5286b3a0849f3101ec7b95336898afc797a97d8615a15b3
EndClientRAT
sha256
e0ee7c88a8149d8890b26fd9e1d909859ea895a39ca188d76a96869cff87c93d
URL to Sample
· hxxps://www.virustotal.com/gui/file/e0ee7c88a8149d8890b26fd9e1d909859ea895a39ca188d76a96869cff87c93d
KimaLogger
sha256
3af5c9759d95fd6091e665c03406f275fac26afe70db067a785cdc003389efbd
URL to Sample
· hxxps://www.virustotal.com/gui/file/3af5c9759d95fd6091e665c03406f275fac26afe70db067a785cdc003389efbd
RDPWrap
sha256
861ad4bbf682b35affda23fab92c8db945f3fa34f78177843c87802d1fd02020
URL to Sample
· hxxps://www.virustotal.com/gui/file/861ad4bbf682b35affda23fab92c8db945f3fa34f78177843c87802d1fd02020
Suggested rules / potential hunts
As a reminder, these are indicator rules. They are likely to be noisy.
For best results consider creating a data model and reviewing the traffic as a report.
Suricata
Redirection to Known Malicious TLDs
Kimsuky frequently uses new or mimicking TLDs for their infrastructure.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Kimsuky Related Redirection Domain (Potential Quishing)"; http.host; pcre:"/.*\. (pw|top|xyz|online)$/"; classtype:social-engineering-attack; sid:2026001; rev:1;)
Mobile-Specific User-Agent to Credential Portals
Kimsuky's landing pages selectively present mobile-optimized portals based on User-Agent.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Mobile User-Agent Accessing Enterprise VPN/MFA Portal (Possible Quishing Pivot)"; http.user_agent; content:"iPhone"; content:"Android"; http.uri; content:"/login"; content:"/owa"; content:"/adfs"; classtype:policy-violation; sid:2026002; rev:1;)
SentinelOne
Look for document types Kimsuky uses to deliver lures (PDF, CHM, ZIP) that may contain embedded QR images.
Query: (EventType = "File Creation") AND (FileExtension In ("pdf", "chm", "zip")) AND (ProcessName In ("outlook.exe", "chrome.exe", "msedge.exe"))
Detection of Kimsuky Backdoor Indicators (HttpTroy/MemLoad)
Query: (ProcessName = "powershell.exe") AND (CommandLine ContainsAll ("Remove-Item", "-Path")) (Detecting trace removal)
Query: (EventType = "Process Creation") AND (ProcessName = "schtasks.exe") AND (CommandLine Contains "/create") AND (CommandLine Matches ".*[A-Za-z0-9]{5,10}.*") (Looking for AhnLab-style scheduled task naming patterns).
Splunk
index=email_logs (attachment_type="image/*" OR attachment_name="*.pdf")
| stats count by recipient
| join recipient [
search index=mfa_logs action="success" user_agent="*Mobile*"
| eval recipient=user
]
| where (mfa_time - email_time) < 300
Hunt for recurring DPRK habits such as specific port reuse (FRP tunnels) or open directories.
index=proxy_logs
| where (status=200 AND (uri_path="/" OR uri_path="/*"))
| stats count by dest_ip, uri_path
| where count > 5 AND (dest_port=7000 OR dest_port=443)
Delivery Method
Email spear-phishing campaigns using embedded QR codes to direct users to malicious credential-harvesting sites (quishing).
Email Samples
· Not applicable
References
IC3 Gov
· hxxps://www.ic3.gov/CSA/2026/260108.pdf
Info Security Magazine
· hxxps://www.infosecurity-magazine.com/news/fbi-warns-north-korean-qr-phishing
KnowBe4
· hxxps://blog.knowbe4.com/north-korean-threat-actor-spreads-malware-via-qr-codes
Virustotal
· hxxps://www.virustotal.com/gui/file/e0ee7c88a8149d8890b26fd9e1d909859ea895a39ca188d76a96869cff87c93d
· hxxps://www.virustotal.com/gui/file/bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e
· hxxps://www.virustotal.com/gui/file/73aab51f08983a2da5286b3a0849f3101ec7b95336898afc797a97d8615a15b3
· hxxps://www.virustotal.com/gui/file/3af5c9759d95fd6091e665c03406f275fac26afe70db067a785cdc003389efbd
hxxps://www.virustotal.com/gui/file/861ad4bbf682b35affda23fab92c8db945f3fa34f78177843c87802d1fd02020
