North Korean state-linked threat group Kimsuky is employing a new tactic to deliver mobile malware, weaponizing QR codes within sophisticated phishing sites that impersonate package delivery services. This evolution in their attack vectors, discovered in September 2025, aims to trick users into downloading malicious Android applications onto their smartphones, posing a significant threat to personal and financial data.
Security researchers detailed the campaign, which involves smishing messages containing links that redirect users to fraudulent delivery tracking websites. These sites then present QR codes, designed to prompt unauthorized app downloads. The malware itself is identified as the latest iteration of “DOCSWAP,” first documented earlier in 2025, now featuring enhanced decryption capabilities and more evasive decoy behaviors.
Kimsuky’s Evolving QR Code Attack Campaign
The malicious campaign observed in September 2025 leverages weaponized QR codes as a primary delivery mechanism for mobile malware. Threat actors associated with the Kimsuky group are distributing these codes through phishing websites designed to mimic legitimate package delivery services. This strategy aims to exploit user trust and urgency related to package tracking, leading them to unwitting compromises.
The attack flow begins with users receiving smishing messages, which are essentially SMS-based phishing attempts. These messages contain malicious links that, when clicked, redirect the user to a fake delivery tracking website. Upon visiting these fraudulent sites, users are presented with QR codes.
When accessed from a computer, the fake delivery sites display a message indicating that the page cannot be viewed from a PC and present a QR code. This QR code is intended to be scanned by a mobile device.
Scanning the QR code with a smartphone initiates the download of an application disguised as a security enhancement or a required update. The malicious application is named “SecDelivery.apk.”
Alternatively, accessing the same phishing link directly from an Android device bypasses the QR code step and directly displays fake security scanning screens. These screens then prompt the user to install a seemingly legitimate “security app” to complete a fraudulent authentication process.
The malware utilizes Base64-encoded URLs and server-side logic that dynamically serves different content based on the user’s device type. This adaptability makes automated detection and analysis more challenging for security researchers.
Once the malicious application is installed, it begins its multi-stage operation. The first step involves requesting extensive permissions from the user. These permissions include access to files, the phone’s call logs, SMS messages, and location data, granting the malware significant control over the device.
DOCSWAP Malware: Enhanced Capabilities
The core of the malware, contained within the “SecDelivery.apk” file, holds an encrypted APK stored as “security.dat” within its resources. Unlike previous versions of DOCSWAP that relied on Java techniques for decryption, this new variant employs a native library, “libnative-lib.so,” to decrypt the embedded malicious payload.
This native decryption process is sophisticated and involves three distinct steps. First, it inverts the bits of each byte value. Following this, it applies a 5-bit left rotation to the modified bytes. The final step of the decryption involves XOR operations using a specific 4-byte key, identified as 541161FE in hexadecimal representation.
Infection Mechanism and Persistence
The malware establishes persistence on the infected device through a carefully designed service registration process. After the decryption of the embedded APK, the application launches its “SplashActivity.” This activity is responsible for loading encrypted resources, initiating the request for necessary system permissions, and crucially, registering a malicious service named “MainService.”
To ensure continuous operation and maintain its presence, the malware configures specific “intent filters” within its AndroidManifest.xml file. These filters are engineered to automatically launch the “MainService” without explicit user interaction. The triggers for this automatic execution are set to activate when the device reboots or when it connects to or disconnects from a power source.
The specific intent actions defined for persistence are “android.intent.action.BOOT_COMPLETED,” indicating execution upon system startup, and “android.intent.action.ACTION_POWER_CONNECTED” and “android.intent.action.ACTION_POWER_DISCONNECTED,” which ensure the service remains active during power events.
Following the persistence mechanisms, the application presents a convincing fake authentication screen to the user. This screen simulates a legitimate delivery tracking process, prompting the user to enter a delivery tracking number and a verification code. The initial phishing message often includes a hardcoded delivery number, such as “742938128549,” to lend an air of authenticity.
Upon the user entering the requested information, the app proceeds to display the official delivery tracking website through an embedded webview. This visual deception leads users to believe they have installed a legitimate application, while the malicious “MainService” operates silently in the background, collecting data and executing commands.
The embedded Remote Access Trojan (RAT) within the malware supports an extensive set of 57 commands. These commands allow the attackers to gain comprehensive control over the compromised device. Communication with the command and control (C2) server is conducted using a specific data format that includes length headers, null bytes, and Gzip-compressed payloads for efficiency.
The command parsing logic employed by the malware utilizes “10249” as a delimiter. This enables the malware to perform a wide range of malicious actions, including audio and video recording, extensive file management, precise location tracking, collection of call logs, theft of contact lists, interception of SMS messages, remote command execution, and live keylogging.
The keylogging functionality is implemented using Android’s Accessibility Service, a powerful API that allows applications to intercept user interactions. This service captures critical information such as app icons, package names, event text, and timestamps. All captured data is then compressed and Base64-encoded before being transmitted to the C2 server.
Evidence linking this campaign to previous Kimsuky operations includes shared infrastructure. Researchers identified a distinctive string, “Million OK !!!!”, present on the root directory of the group’s command and control servers, which has been observed in past Kimsuky activities.
Furthermore, the presence of Korean-language comments embedded within the HTML code and in error messages provides additional strong indicators connecting this activity directly to North Korean threat actors.
This campaign highlights Kimsuky’s ongoing adaptation and sophistication in developing and deploying mobile threats. By targeting smartphones, which are repositories of sensitive financial and personal information, the group aims to maximize the impact of their attacks and facilitate espionage or financial theft.
The observed trend suggests that Kimsuky will likely continue to refine its mobile attack methodologies, potentially exploring new social engineering tactics and malware capabilities to circumvent existing security measures. Users are advised to remain vigilant against unsolicited messages and to only download applications from trusted sources.