Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Kimsuky QR-phishing campaign distributing DocSwap Android malware

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The Kimsuky operation now uses QR-code phishing to push DocSwap Android malware, raising the risk of mobile compromise for users drawn in by delivery-themed lures. The activity impersonates CJ Logistics and related shipment workflows to trick victims into installing a malicious app. The same infrastructure also overlaps with credential-harvesting pages for Naver and Kakao, showing a broader targeting pattern. The campaign matters because it blends social engineering, mobile malware delivery, and account-theft hooks in one coordinated operation.

Related Happenings

BTMOB phishing campaign targeting Android users in Brazil and beyond

Campaign
First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: The **BTMOB phishing distribution campaign** is pushing **malicious APKs** through **fake app stores**, expanding Android compromise risk across **Brazil and beyond**. Operators l...

Open Happening

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

FakeWallet crypto wallet phishing campaign targeting users in China

Campaign
First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...

Latest development: 24.04.2026 14:48

Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.

Open Happening

Kimsuky QR-code spear-phishing campaign against think tanks and government entities

Campaign
First: 09.01.2026 07:46 Last: 09.01.2026 07:46 Sources 1

About this happening: The **FBI** warned that **Kimsuky (APT43)** is running a **QR-code spear-phishing campaign** that targets **think tanks, academic institutions, and U.S. and foreign government ent...

Open Happening

Wonderland Android SMS stealer activity targeting Uzbekistan

Malware Activity
First: 22.12.2025 08:11 Last: 22.12.2025 08:11 Sources 1

About this happening: The **Wonderland** Android SMS stealer is being spread through **malicious droppers** in attacks targeting **users in Uzbekistan**, enabling **SMS and OTP theft** and bank-card fr...

Open Happening

Timeline

  1. 18.12.2025 09:43 2 articles · 5mo ago

    Kimsuky QR-phishing campaign pushes DocSwap Android malware

    Initial Disclosure

    Kimsuky is linked to a new QR-code phishing campaign that uses delivery-themed pages mimicking CJ Logistics to lure Android users into installing the DocSwap malware family. The malicious APK decrypts an embedded APK, launches a RAT service, and uses notification pop-ups and fake shipment-tracking and OTP screens to bypass Android warnings; ENKI also identified additional samples disguised as a P2B Airdrop app and a trojanized BYCOM VPN package, plus phishing pages impersonating Naver and Kakao that overlap with a prior Kimsuky credential-harvesting effort.

    Show sources
    Open in new tab