Kimsuky distributes DocSwap malware via QR codes in phishing campaign
North Korean threat group Kimsuky has been linked to a new cyberattack campaign that uses QR codes to distribute a new variant of the DocSwap Android malware. Attackers are using phishing sites that imitate South Korean logistics company CJ Logistics to trick victims. Distribution and Deception Mechanism The campaign targets users of Android mobile devices using a sophisticated social engineering method. The attack process develops as follows: Launch of the Attack: Cybercriminals send smishing messages (phishing SMS) or emails impersonating package delivery companies to trick recipients into clicking on malicious URLs. Redirection with QR Codes: Victims who access the fraudulent URLs from a desktop computer are redirected to a page that asks them to scan a QR code with their Android device. This QR code leads to the download of the malicious application. Social Engineering to Outwit Warnings: The phishing site claims that the installation of a supposed tracking application is necessary to verify identity due to “international customs security policies.” This tactic seeks to convince victims to ignore Android security warnings about installing apps from unknown sources. DocSwap Malware Technical Analysis Analysis by South Korean cybersecurity company ENKI reveals that the new DocSwap variant features evolved capabilities: ...