JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
A new campaign organized by a previously undocumented threat actor is targeting cryptocurrency organizations with the aim of facilitating the theft of digital assets using recruitment-themed social engineering and bespoke macOS malware.
“These campaigns used sophisticated social engineering techniques, macOS malware, and deep targeting of CI/CD infrastructure,” said Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read. “The methods used enabled the threat actor to move from vulnerable employee laptops to code distribution systems and development infrastructure.”
Google’s cloud security company tracks activity under the moniker JINX-0164. The threat actor is assessed to be active from at least the middle of 2025 and motivated by financial gain, targeting developers through the use of recruitment themes and other social engineering techniques to extract private funds. In at least one case, the enemy is said to have carried out a supply chain attack.
In a series of attacks documented by Wiz, JINX-0164 was found to be using trusted LinkedIn profiles to talk to victims and offer a virtual meeting. The meeting invitation is designed to direct the target to a malicious domain masquerading as a conference provider.
From there, victims are tricked into downloading and installing the program. This, in turn, triggers the detection of a Python-based macOS infostealer and a remote access trojan called AUDIOFIX using a bash script hosted in the fake driver store domain (“apple.driver-store[.]com”).
“I [bash] the script downloaded the architecture-aware payload from the same domain, which works with both Intel and Apple Silicon systems. The payload masquerades as a system audio driver named coreaudiod, saved as ChromeUpdater, and executed via launchctl,” said Wiz.
The Python malware was then used to steal sensitive data from the vulnerable endpoint, later on to internal code distribution systems and development infrastructure by injecting the AUDIOFIX payload, and modifying the source code in an attempt to compromise other endpoints and steal crypto wallet credentials.
Captured data includes credentials from password managers, web browsers, and iCloud Keychain files; property manager information; SSH keys; configuration files; console history files; information on cryptocurrency browser extensions; cryptocurrency wallet addresses; and active sessions for Discord, Slack, and Telegram.
In addition to data theft, AUDIOFIX supports several commands that allow manual recovery, extraction, arbitrary shell command execution, file deletion, and payload retrieval from an external server.
JINX-0164 has also been seen targeting software developers by pretending to be employers, while using a similar social engineering technique: it uses an employee opportunity to set up a meeting showing a fake technical error and instructs the victim to download a “fix” that leads to the installation of malware.
Another important part of the threat actors’ arsenal is MiniRAT, a Go-based backdoor that was once distributed via a vulnerable version of an npm package called @velora-dex/sdk, an official DeFi toolkit used for token exchange, limit orders, and delta trading on the VeloraDEX exchange platform.
According to information shared by SafeDep and StepSecurity last month, the malicious version downloaded a shell script from a remote server, which then delivered a macOS-specific binary called MiniRAT. The malware is equipped to upload files, execute shell commands arbitrarily, and download additional payloads or tools from domains controlled by attackers.
It is noteworthy that some aspects of the campaign, related to the use of VPN services such as Astrill VPN and the focus on cryptocurrency and developers, are reminiscent of those used by many groups threatened by North Korea such as BlueNoroff, Contagious Interview, and UNC1069. However, Wiz said there is no infrastructure overlap linking JINX-0164 to Pyongyang at this time.
“Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164’s infrastructure has no overlap with other publicly tracked North Korean groups,” Wiz said.
