The North Korean state-linked threat group Kimsuky has expanded its attack methods by distributing a dangerous mobile malware through weaponized QR codes, targeting users through sophisticated phishing sites that imitate package delivery services.
Security researchers discovered the malicious campaign in September 2025, when victims received smishing messages with links that redirected them to fake delivery tracking websites hosting QR codes designed to trick users into downloading infected Android applications on their smartphones.
The malware represents the latest version of “DOCSWAP,” a threat first documented earlier in 2025. Read more.
Kimsuky Hackers Attacking Users via Weaponized QR Code to Deliver Malicious Mobile App
Enki analysts identified the malicious application being distributed from a command and control server located at 27.102.137[.]181, where it impersonated legitimate services like CJ Logistics, auction platforms, VPN apps, and cryptocurrency airdrop authentication systems to deceive victims.
Scanning this code with a mobile device initiates the download of what appears to be a security app.. Read the full article here.
When users access the phishing links from a computer, they see a message stating “For security reasons, you cannot view this page from a PC” along with a QR code.