A North Korea–aligned threat actor tracked as Kimsuky has launched a sophisticated Android malware campaign using QR codes and phishing infrastructure impersonating CJ Logistics.

The operation distributes a new Android remote access trojan (RAT) variant known as DocSwap, capable of full device surveillance and data exfiltration.

The campaign highlights a growing shift toward mobile-first espionage tactics that blend social engineering, legitimate branding abuse, and advanced malware delivery mechanisms.

Kimsuky is a long-running North Korean cyber-espionage group historically focused on credential theft, surveillance, and intelligence collection, particularly in South Korea.

While previously centered on Windows malware and email phishing, recent activity shows a clear expansion into mobile platforms, aligning with increased reliance on smartphones for sensitive communications and authentication.

According to South Korean cybersecurity firm ENKI, attackers created phishing websites that mimic CJ Logistics shipment tracking pages.

Victims are lured via smishing texts or phishing emails and directed to these sites, where desktop visitors are prompted to scan a QR code using their Android device.

The QR code redirects users to download a fake delivery-tracking application, presented as a required “security module” to comply with international customs policies.

Once installed, the malicious app downloads and decrypts an embedded encrypted APK, loading the DocSwap RAT in memory.

Before execution, the malware requests extensive permissions, including storage access, package installation rights, internet access, and system services.

The app displays a convincing OTP-style verification screen using a hard-coded delivery number, then redirects users to the legitimate CJ Logistics website to reduce suspicion.

In the background, the RAT connects to an attacker-controlled server and supports dozens of commands, including keystroke logging, audio recording, camera access, file operations, SMS harvesting, contact theft, location tracking, and command execution.

Compromised devices effectively become real-time surveillance tools under attacker control.

The use of QR codes and legitimate branding lowers technical barriers for infection and bypasses traditional mobile security awareness cues.

ENKI also identified trojanized versions of legitimate apps, including a modified VPN application originally published on Google Play, suggesting supply-chain style repackaging tactics.

This campaign demonstrates how mobile malware is evolving to exploit user trust, cross-device workflows, and modern delivery behaviors.

QR-based redirection bypasses many traditional phishing defenses, while Android’s permission fatigue increases the likelihood of successful installation.

The activity also underscores North Korea’s continued investment in blended cyber-espionage and financial operations using mobile platforms as entry points.

ENKI notes that DocSwap represents an evolution in Kimsuky’s tooling, combining native APK decryption, layered decoys, and expanded RAT functionality.

Further reporting links Kimsuky to broader North Korean cyber operations coordinated with the Lazarus Group, reinforcing assessments of shared infrastructure and intelligence pipelines across state-aligned clusters.