Summaries
JINX-0164 — macOS Malware and Fake Recruiter Lures Targeting Cryptocurrency Firms
JINX-0164 targets cryptocurrency organizations with recruitment-themed social engineering, custom macOS malware (AUDIOFIX, MiniRAT), and lateral movement into CI/CD infrastructure for digital asset theft.
View on Graph
Summary
Wiz security researchers have identified JINX-0164, a financially motivated threat actor active since at least mid-2025, targeting cryptocurrency organizations with recruitment-themed social engineering. The campaign uses bespoke macOS malware and deep targeting of CI/CD infrastructure to facilitate digital asset theft.
The attack chain begins with credible LinkedIn profiles approaching targets for a virtual meeting. The meeting invite directs victims to a rogue domain masquerading as a teleconference provider. Victims are tricked into downloading and executing a malicious file disguised as a meeting client, which triggers the retrieval of AUDIOFIX — a Python-based macOS infostealer and remote access trojan.
AUDIOFIX is architecture-aware, compatible with both Intel and Apple Silicon. It masquerades as a system audio driver named coreaudiod, saved as ChromeUpdater, and executed via launchctl. The malware steals credentials from password managers, web browsers, iCloud Keychain, SSH keys, configuration files, console history, cryptocurrency browser extensions and wallet addresses, and active Discord, Slack, and Telegram sessions.
Critically, AUDIOFIX enables lateral movement to internal code distribution systems and development infrastructure by injecting into build pipelines and modifying source code to compromise downstream endpoints. JINX-0164 also uses MiniRAT, a Go-based backdoor previously distributed via a compromised npm package (@velora-dex/sdk) targeting the VeloraDEX DeFi platform.
While some aspects overlap with North Korean threat clusters (BlueNoroff, Contagious Interview, UNC1069), Wiz found no infrastructure overlaps directly linking JINX-0164 to Pyongyang at this stage.
Why It Matters
JINX-0164 fills two gaps in the current threat landscape. First, it demonstrates sophisticated macOS-specific targeting — a platform that receives less attention from defenders than Windows. Second, the pivot from social engineering to CI/CD infrastructure compromise represents a supply chain risk amplification: one compromised developer can lead to downstream code distribution compromise. For cryptocurrency and fintech organizations, this campaign underscores the need for macOS endpoint monitoring and developer pipeline security.
Defender Takeaways
- Implement macOS endpoint monitoring — AUDIOFIX masquerades as system processes and uses launchctl for persistence.
- Vet recruitment and meeting-related social engineering thoroughly — fake LinkedIn recruiter profiles are the initial access vector.
- Monitor CI/CD pipeline access and audit code changes for unauthorized modifications.
- Restrict SSH key usage and monitor for unusual key access patterns.
- Secure npm and package registry credentials — pipeline compromise can lead to supply chain attacks.
- Audit third-party npm dependency versions for signs of compromise, particularly those targeting DeFi or crypto tooling.
Source
Title: JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware — The Hacker News/Wiz
URL: https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html
Related
- Supply Chain Attack — detection and response for T1195 techniques
- Social Engineering — detection and response for T1566 techniques
- Malware Analysis Fundamentals — detection and response for T1204 techniques