Cybersecurity

JINX-0164: Crypto Firms Hit by Sophisticated Mac Malware & Lures

May 28, 2026 4 min read Source: Thehackernews 3 views

An emerging threat actor, identified as JINX-0164, is actively compromising cryptocurrency organizations through elaborate social engineering and custom macOS malware. This sophisticated campaign exploits recruitment lures to infiltrate target systems, eventually moving laterally into critical development infrastructure to siphon digital assets.

The attack commences with convincing LinkedIn profiles used to engage victims, leading them to deceptive virtual meeting platforms that prompt the download of malicious software disguised as a meeting client.
Installed malware includes a Python-based infostealer, AUDIOFIX, designed to pilfer a wide range of sensitive data such as system credentials, browser data, SSH keys, and cryptocurrency wallet information.
Beyond direct data theft, the adversary aims for supply chain compromise, injecting payloads into internal code distribution systems and modifying source code to propagate malware and steal further cryptocurrency credentials.

Intelligence briefing: Why this matters: The pivot from initial compromise to supply chain attacks on development infrastructure represents a significant escalation, demanding heightened vigilance from IT security professionals managing developer environments and software dependencies.

A new campaign orchestrated by a ly undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware.

"These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read said. "The used methods enabled the threat actor to move laterally from compromised employee laptops to code distribution systems and development infrastructure."

The Google-owned cloud security company is tracking the activity under the moniker JINX-0164. The threat actor is assessed to be active since at least mid-2025 and motivated by financial gain, targeting developers through recruitment-themed and other social engineering techniques to siphon cryptocurrencies. In at least one case, the adversary is said to have carried out a supply chain attack.

In the attack chain documented by Wiz, JINX-0164 has been found to leverage credible LinkedIn profiles to approach victims and offer a virtual meeting. The meeting invite is designed to steer the target to a rogue domain that masquerades as a teleconference provider.

From there, victims are tricked into downloading and executing a malicious file disguised as the meeting client. This, in turn, triggers the retrieval of a Python-based macOS infostealer and remote access trojan codenamed AUDIOFIX using a bash script hosted on a fake driver store domain ("apple.driver-store[.]com").

"The [bash] script downloaded an architecture-aware payload from the same domain, compatible with both Intel and Apple Silicon systems. The payload masquerades as a system audio driver named coreaudiod, was saved as ChromeUpdater, and was executed via launchctl," Wiz said.

The Python malware is then leveraged to steal sensitive data from the compromised endpoint, laterally move to internal code distribution systems and development infrastructure by injecting the AUDIOFIX payload, and modify source code in an attempt to compromise other endpoints and steal cryptocurrency wallet credentials.

The captured data includes credentials from password managers, web browsers, and iCloud Keychain files; local admin credentials; SSH keys; configuration files; console history files; cryptocurrency browser extensions information; cryptocurrency wallet addresses; and active Discord, Slack, and Telegram sessions.

Besides information theft, AUDIOFIX supports several commands that allow manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval from an external server.

JINX-0164 has also been observed targeting software developers by impersonating recruiters, while employing the same social engineering technique: using a job opportunity ploy to set up a meeting that displays a fake technical error and instructs the victim to download a "fix" that leads to malware installation.

Another key component of the threat actor's arsenal is MiniRAT, a Go-based backdoor that was ly distributed via a compromised version of an npm package named @velora-dex/sdk, a legitimate DeFi toolkit used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange platform.

Per details shared by SafeDep and StepSecurity last month, the poisoned version downloaded a shell script from a remote server, which then delivered an macOS-specific binary called MiniRAT. The malware is equipped to upload files, run arbitrary shell commands, and fetch additional payloads or tools from attacker-controlled domains.

It's worth noting that some aspects of the campaign, coupled with the use of VPN services like Astrill VPN and the focus on cryptocurrency and developers, are reminiscent of those used by multiple North Korean threat clusters such as BlueNoroff, Contagious Interview, and UNC1069. However, Wiz said there are no infrastructure overlaps connecting JINX-0164 to Pyongyang at this stage.

"Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups," Wiz said.

Analysis

The blend of targeted social engineering with custom, architecture-aware malware underscores a high level of operational capability by JINX-0164. Their focus on CI/CD pipelines and developer tools suggests an intent to achieve widespread, stealthy compromise beyond initial asset theft, potentially mimicking tactics of state-sponsored entities. This campaign highlights the growing sophistication of financially motivated actors adopting advanced persistent threat techniques.

jinx-0164macos malwarecryptocurrency securitysocial engineeringsupply chain attackinfostealercybercrime

📰 Primary Source: Thehackernews