North Korea’s Kimsuky Upgrades DOCSWAP Malware to Hijack Smartphones via QR Codes
Ddos 
The notorious North Korean threat group Kimsuky has launched a renewed mobile offensive, deploying an evolved version of the “DOCSWAP” malware to turn smartphones into pocket-sized surveillance tools. A new investigation by the ENKI WhiteHat Threat Research Team reveals that the group is now using QR codes and “smishing” tactics to bypass defenses and install a sophisticated Remote Access Trojan (RAT).
First identified in March 2025, DOCSWAP has resurfaced with dangerous new upgrades. In September 2025, researchers detected the malware being distributed via phishing websites, where attackers “leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices”.
While the malware retains the core behavioral patterns of its predecessors, the underlying mechanics have shifted. The latest iteration is not just a copy-paste job; it features a significant technical overhaul designed to hinder analysis.
“The threat actor added a new native decryption function and diversified the decoy behavior,” the report states.
Once executed, the malicious app doesn’t immediately reveal its true nature. It works silently in the background to decrypt an embedded, encrypted APK, subsequently launching a service that provides RAT capabilities. This allows the attackers to potentially steal files, monitor activity, and exfiltrate data without the user’s knowledge.
Attributing cyberattacks is often a game of shadows, but in this case, the operators left distinct fingerprints pointing back to the DPRK-nexus group.
The investigation uncovered a “smoking gun” on the command-and-control (C&C) infrastructure: a specific text string.
“The ‘Million OK!!!’ string identified on the C&C server, along with proxy servers and victim data storage formats resembling recent Kimsuky phishing attacks, provide strong evidence for this attribution”.
Further strengthening the link, researchers found linguistic clues embedded in the attack infrastructure. “Korean comments and error messages found on the distribution sites indicate the connection to DPRK-nexus threat actor”.
The report highlights a growing trend of attackers targeting mobile devices as primary intelligence sources. With smartphones holding everything from financial credentials to personal communications, they have become high-value targets.
Users are advised to be wary of scanning unknown QR codes and to avoid downloading applications from third-party websites, especially those prompted by unsolicited text messages.
Donate