JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
Ravie LakshmananMay 28, 2026Supply Chain Attack / Malware
A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware.
"These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read said. "The used methods enabled the threat actor to move laterally from compromised employee laptops to code distribution systems and development infrastructure."
The Google-owned cloud security company is tracking the activity under the moniker JINX-0164. The threat actor is assessed to be active since at least mid-2025 and motivated by financial gain, targeting developers through recruitment-themed and other social engineering techniques to siphon cryptocurrencies. In at least one case, the adversary is said to have carried out a supply chain attack.
In the attack chain documented by Wiz, JINX-0164 has been found to leverage credible LinkedIn profiles to approach victims and offer a virtual meeting. The meeting invite is designed to steer the target to a rogue domain that masquerades as a teleconference provider.
From there, victims are tricked into downloading and executing a malicious file disguised as the meeting client. This, in turn, triggers the retrieval of a Python-based macOS infostealer and remote access trojan codenamed AUDIOFIX using a bash script hosted on a fake driver store domain ("apple.driver-store[.]com").
"The [bash] script downloaded an architecture-aware payload from the same domain, compatible with both Intel and Apple Silicon systems. The payload masquerades as a system audio driver named coreaudiod, was saved as ChromeUpdater, and was executed via launchctl," Wiz said.
The Python malware is then leveraged to steal sensitive data from the compromised endpoint, laterally move to internal code distribution systems and development infrastructure by injecting the AUDIOFIX payload, and modify source code in an attempt to compromise other endpoints and steal cryptocurrency wallet credentials.
The captured data includes credentials from password managers, web browsers, and iCloud Keychain files; local admin credentials; SSH keys; configuration files; console history files; cryptocurrency browser extensions information; cryptocurrency wallet addresses; and active Discord, Slack, and Telegram sessions.
Besides information theft, AUDIOFIX supports several commands that allow manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval from an external server.
JINX-0164 has also been observed targeting software developers by impersonating recruiters, while employing the same social engineering technique: using a job opportunity ploy to set up a meeting that displays a fake technical error and instructs the victim to download a "fix" that leads to malware installation.
Another key component of the threat actor's arsenal is MiniRAT, a Go-based backdoor that was previously distributed via a compromised version of an npm package named @velora-dex/sdk, a legitimate DeFi toolkit used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange platform.
Per details shared by SafeDep and StepSecurity last month, the poisoned version downloaded a shell script from a remote server, which then delivered an macOS-specific binary called MiniRAT. The malware is equipped to upload files, run arbitrary shell commands, and fetch additional payloads or tools from attacker-controlled domains.
It's worth noting that some aspects of the campaign, coupled with the use of VPN services like Astrill VPN and the focus on cryptocurrency and developers, are reminiscent of those used by multiple North Korean threat clusters such as BlueNoroff, Contagious Interview, and UNC1069. However, Wiz said there are no infrastructure overlaps connecting JINX-0164 to Pyongyang at this stage.
"Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups," Wiz said.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet Share Share Share
SHARE cryptocurrency, cybersecurity, Infostealer, MacOS, Malware, NPM, Remote Access Trojan, Social Engineering, Supply Chain Attack
⚡ Top Stories This Week
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
The New Phishing Click: How OAuth Consent Bypasses MFA
Developer Workstations Are Now Part of the Software Supply Chain
⭐ Featured Resources
Claim ANY.RUN Anniversary Offer for Faster Malware Analysis
[Guide] Learn to Detect AI Typosquatting Risks in Your Domain
[Guide] Get Key Identity Security Insights From 2026 Snapshot
Discover How to Navigate the Era of Constant Cyber Exposure
Cybersecurity Webinars
With HD Moore (Creator of Metasploit) Learn How to Detect Threats Beyond Zero Day Attacks Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Register
Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. Register
⚡ Latest News
Cybersecurity Resources
AI Is Reshaping Every Attack Surface. Train for What's NextSANSFIRE 2026 in D.C. brings 50+ courses, AI-focused sessions, and NetWars. July 13–18. Save $500. Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown.
Expert Insights Articles Videos
You Can't Patch Your Way Out of This One
May 25, 2026 Read ➝
How to Test Ransomware Recovery Without Reinfecting Your Environment
May 25, 2026 Read ➝
The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans
May 25, 2026 Read ➝
7 Signs Your Organization Is Vulnerable to Business Email Compromise
May 18, 2026 Read ➝
Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.