Kimsuky QR-code spear-phishing campaign against think tanks and government entities
Campaign
Summary
Hide ▲
Show ▼
The FBI warned that Kimsuky (APT43) is running a QR-code spear-phishing campaign that targets think tanks, academic institutions, and U.S. and foreign government entities. The activity was observed in May and June 2025 and uses quishing lures to push victims toward credential-harvesting pages and attacker-controlled infrastructure. The operation matters because it can bypass enterprise defenses and lead to session token theft, MFA bypass, and cloud identity hijacking.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
ShinyHunters school-by-school extortion campaign targeting Canvas institutions
Campaign
First: 11.05.2026 13:05
Last: 11.05.2026 13:05
Sources 1
About this happening:
ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...
ShinyHunters school-by-school extortion campaign targeting Canvas institutions
CampaignAbout this happening: ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...
QR code phishing surged across email threats in Q1 2026
Target Trend
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
Target TrendAbout this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Timeline
-
09.01.2026 07:46 3 articles · 4mo ago
FBI warns of Kimsuky QR-code spear-phishing against think tanks and government entities
Initial DisclosureThe FBI warned that Kimsuky (APT43), a North Korea-affiliated threat group, used embedded malicious QR codes in spear-phishing emails to target think tanks, academic institutions, and U.S. and foreign government entities in 2025. The bureau said it observed the activity several times in May and June 2025, including lures that sent recipients to attacker-controlled landing pages or fake login pages to harvest Google account credentials and support session-token theft, MFA bypass, and cloud identity hijacking.
Show sources
- FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing — thehackernews.com — 09.01.2026 07:46
- FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing — thehackernews.com — 09.01.2026 07:46
- FBI warns about Kimsuky hackers using QR codes to phish U.S. orgs — www.bleepingcomputer.com — 09.01.2026 00:57