North Korean Hackers Use Weaponized QR Codes to Spread Malware

The North Korean state-linked hacker group known as Kimsuky has expanded its cyberattack strategies to include the distribution of malicious mobile software via weaponized QR codes. These attacks are specifically targeting users through sophisticated phishing sites designed to mimic package delivery services.

The Emergence of QR-Based Malware

Security experts first uncovered this malicious campaign in September 2025. Users were lured by messages that redirected them to fraudulent delivery tracking websites. These sites hosted QR codes intended to deceive users into downloading infected Android applications onto their smartphones.

The Evolution of DOCSWAP Malware

This campaign introduces the latest version of the malware known as “DOCSWAP,” an evolution of threats documented earlier in 2025. The new variant boasts enhanced features, including advanced decryption functions and more dynamic decoy behaviors.

The Attack Path

According to analysts, the malicious application is distributed from a command and control server, masquerading as legitimate services such as CJ Logistics, auction platforms, VPN apps, and cryptocurrency airdrop authentication systems. The attack begins when users access these phishing links from a computer, which displays a notice: "For security reasons, you cannot view this page from a PC," accompanied by a QR code.

Scanning this QR code with a mobile device triggers the download of what initially appears to be a legitimate security app. However, when accessed directly from an Android device, the user encounters fake security scanning screens and is prompted to install an application for authentication.

Stealthy Infection Mechanisms

The malicious app employs Base64-encoded URLs and server-side logic to serve different content based on the user’s device type, thus complicating detection processes. Once installed, the app requests extensive permissions, including access to files, phone, SMS, and location data.

The APK file downloaded, termed “SecDelivery.apk,” contains an encrypted APK within its resources, stored as “security.dat.” Unlike its predecessors, which employed Java-based XOR decryption, this variant utilizes a native library called “libnative-lib.so” for decryption.

Persistence and Control

The malware secures persistence through a sophisticated service registration process. After decryption, the app activates SplashActivity, which loads encrypted resources, seeks necessary permissions, and registers a malicious service named MainService. To ensure continued operation, the malware configures intent filters that trigger MainService whenever the device reboots or connects to power.

The AndroidManifest.xml file specifies these triggers as “android.intent.action.BOOT_COMPLETED,” “android.intent.action.ACTION_POWER_CONNECTED,” and “android.intent.action.ACTION_POWER_DISCONNECTED.”

Deceptive Authentication Screens

The application presents a convincing fake authentication screen, prompting users to input a delivery tracking number and verification code. The phishing message includes a hardcoded delivery number “742938128549.” Upon authentication, the app displays the official delivery tracking website through a webview, misleading users into believing they have installed a legitimate application while the malicious service operates silently in the background.

Comprehensive Device Control

The embedded malware supports 57 commands, enabling extensive device control. It communicates with the command and control server using a format that incorporates length headers, null bytes, and Gzip-compressed payloads. The malware's command parsing logic uses “10249” as a delimiter, enabling it to perform actions such as audio and video recording, file management, location tracking, call log collection, contact list theft, SMS interception, remote command execution, and live keylogging.

The keylogger functions via Android’s Accessibility Service, capturing app icons, package names, event text, and timestamps, which are then compressed and Base64-encoded before being transmitted.

Connections to Previous Campaigns

Researchers identified links between this campaign and earlier Kimsuky operations, sharing infrastructure such as the distinctive “Million OK” string found on command and control servers. Korean-language comments embedded in the HTML code and error messages further associate the activity with North Korean threat actors.

This campaign highlights the ongoing evolution of mobile threats, exploiting smartphones that store sensitive financial and personal information. As hackers continue to innovate, it becomes more crucial than ever to remain vigilant and informed about potential digital threats.

For those looking to understand and mitigate such threats, a QR code generator can be a valuable tool. It is critical to verify sources before scanning QR codes and to maintain updated security measures on all devices.