Undocumented Threat Actor JINX-0164 Unleashes Sophisticated macOS Malware in Cryptocurrency Supply Chain Attacks

Cahyo Dewo,

A newly identified and highly sophisticated threat actor, tracked as JINX-0164, has embarked on an elaborate campaign targeting cryptocurrency organizations with the primary objective of digital asset theft. The operation leverages advanced social engineering tactics, custom-designed macOS malware, and meticulous targeting of critical CI/CD (Continuous Integration/Continuous Delivery) infrastructure. This revelation, brought forth by researchers at Google-owned cloud security company Wiz, underscores a worrying evolution in cybercriminal methodologies aimed at the lucrative and often vulnerable digital asset sector.

The Emergence of JINX-0164: A New Threat on the Horizon

Wiz researchers, including Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read, have detailed the activities of JINX-0164, assessing the group to have been active since at least mid-2025. Their findings highlight a financially motivated adversary employing a multi-pronged attack strategy that moves beyond simple phishing to deep compromises of organizational ecosystems. The group’s primary targets are developers within cryptocurrency firms, approached through recruitment-themed lures designed to establish initial access.

"These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," the Wiz researchers stated in their report. This strategic targeting allowed JINX-0164 to achieve significant lateral movement, transitioning from compromised employee laptops to sensitive code distribution systems and development environments, thereby escalating the potential for widespread damage and asset exfiltration. In at least one documented instance, the actor successfully executed a supply chain attack, a particularly insidious method that can compromise numerous downstream users through a single breach.

Recruitment Lures: The Initial Vector of Compromise

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware

The core of JINX-0164’s initial infiltration strategy revolves around highly convincing recruitment-themed social engineering. The threat actor establishes credible-looking LinkedIn profiles, which they then use to approach prospective victims, typically software developers within targeted cryptocurrency organizations. These interactions culminate in an invitation for a virtual meeting, meticulously crafted to appear legitimate.

The meeting invitation, however, is a trojan horse. It directs the unsuspecting target to a rogue domain that expertly mimics a legitimate teleconference provider. This critical step sets the stage for the next phase of the attack: malware deployment. Victims are subsequently manipulated into downloading and executing a malicious file, deceptively presented as the necessary meeting client. This seemingly innocuous action initiates a chain of events leading to the installation of bespoke macOS malware. The choice of macOS as a primary target operating system is notable, reflecting a growing trend among sophisticated threat actors to exploit the perceived security of Apple’s ecosystem, often underestimated by users and even some organizations.

AUDIOFIX: A Bespoke macOS Infostealer and Remote Access Trojan

Upon execution of the disguised meeting client, a bash script is triggered, fetching a Python-based macOS infostealer and remote access trojan (RAT) codenamed AUDIOFIX. This retrieval occurs from a meticulously crafted fake driver store domain, specifically "apple.driver-store[.]com," designed to appear as an official Apple resource.

The malware payload itself is sophisticated and architecture-aware, meaning it can adapt to both Intel and Apple Silicon systems, ensuring broad compatibility across modern macOS devices. It masquerades as a legitimate system audio driver named coreaudiod, but is saved and executed as ChromeUpdater via launchctl, a system utility used to manage services, ensuring persistence across reboots.

Once established, AUDIOFIX exhibits a comprehensive array of malicious capabilities:

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
  • Data Exfiltration: The malware is designed to steal a vast range of sensitive data from the compromised endpoint. This includes credentials from popular password managers, web browsers, and iCloud Keychain files, which store a user’s sensitive account information.
  • Credential Harvesting: Local administrator credentials, crucial for elevating privileges and gaining deeper system access, are also targeted.
  • Development Artifacts: SSH keys, configuration files, and console history files are exfiltrated, providing attackers with insights into development practices and access to other systems.
  • Cryptocurrency Specifics: Critically for its objective, AUDIOFIX targets cryptocurrency browser extensions, cryptocurrency wallet addresses, and active session tokens from popular communication platforms like Discord, Slack, and Telegram, often used for internal coordination in crypto projects.
  • Lateral Movement and Supply Chain Manipulation: Beyond information theft, AUDIOFIX facilitates lateral movement within the network. It can inject its payload into internal code distribution systems and development infrastructure. This enables the modification of source code, potentially compromising other endpoints and directly siphoning cryptocurrency wallet credentials on a broader scale.
  • Remote Control: The RAT functionalities of AUDIOFIX allow for manual reconnaissance, further data exfiltration, arbitrary shell command execution, file deletion, and the retrieval of additional payloads or tools from external command-and-control servers, giving JINX-0164 extensive control over the compromised system.

The breadth of data targeted by AUDIOFIX underscores the actor’s intent to not only steal current assets but also to establish long-term persistence and compromise the very mechanisms of software development and distribution within the targeted organizations.

The VeloraDEX Compromise: A Parallel Supply Chain Vector

In addition to the direct social engineering attacks, JINX-0164 has also been linked to a significant supply chain compromise involving an npm package. The threat actor leveraged a compromised version of @velora-dex/sdk, a legitimate DeFi (Decentralized Finance) toolkit used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange platform. This incident, previously detailed by SafeDep and StepSecurity, occurred approximately a month prior to Wiz’s latest report.

The poisoned npm package delivered a different, albeit equally potent, macOS-specific binary known as MiniRAT. This Go-based backdoor was distributed via a shell script downloaded from a remote server. MiniRAT shares several functionalities with AUDIOFIX, being equipped to upload files, run arbitrary shell commands, and fetch additional payloads or tools from attacker-controlled domains. The compromise of a widely used DeFi SDK highlights JINX-0164’s capability to orchestrate sophisticated supply chain attacks, potentially affecting a much broader range of users and organizations that integrate the compromised library. Such attacks are particularly dangerous as they exploit trust in legitimate software channels.

Chronology of Detected Activities

The activities attributed to JINX-0164 demonstrate a calculated and evolving campaign:

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
  • Mid-2025: Wiz researchers assess JINX-0164 to have become active, primarily initiating reconnaissance and developing their bespoke tools and social engineering tactics.
  • Late 2025 – Early 2026: Initial recruitment-themed social engineering attacks likely commenced, targeting developers with fake job opportunities and leading to the deployment of AUDIOFIX.
  • April 2026: The compromise of the @velora-dex/sdk npm package occurred, leading to the distribution of MiniRAT. This indicates either a parallel attack vector or an evolution in JINX-0164’s supply chain attack capabilities.
  • May 2026: Wiz researchers publish their findings, shedding light on the full scope of JINX-0164’s operations, including the use of AUDIOFIX and the broader supply chain implications.

This timeline suggests a persistent and adaptable threat actor continuously refining its methods and expanding its reach within the cryptocurrency ecosystem.

Attribution and Parallels to State-Sponsored Activity

While Wiz has not yet found definitive infrastructure overlaps to directly attribute JINX-0164 to any known state-sponsored groups, several aspects of the campaign bear striking resemblances to the tactics, techniques, and procedures (TTPs) of North Korean threat clusters. Groups such as BlueNoroff, Contagious Interview, and UNC1069 are notorious for their financially motivated cyber operations, often targeting cryptocurrency organizations and developers.

Commonalities include:

  • Focus on Cryptocurrency and Developers: North Korean APTs are well-documented for their sustained campaigns against the cryptocurrency industry, seeking to generate revenue for the regime. Developers are frequently targeted due to their privileged access to sensitive code, financial systems, and intellectual property.
  • Recruitment-Themed Social Engineering: The use of fake job offers and professional networking sites like LinkedIn is a hallmark of these groups, leveraging the trust associated with career advancement opportunities.
  • Use of VPN Services: The observed use of VPN services like Astrill VPN is also a tactic frequently employed by North Korean actors to obscure their origins and maintain anonymity during operations.
  • Spoofing Domains: The creation of highly convincing spoofed domains, mirroring legitimate services, is another consistent TTP.

Despite these strong thematic and tactical similarities, Wiz emphasizes that direct infrastructure overlaps connecting JINX-0164 to Pyongyang have not been established at this stage. "Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups," Wiz clarified. This lack of direct linkage could indicate a newly formed, independent criminal enterprise, a state-sponsored group operating with entirely new infrastructure, or a sophisticated effort to mimic known APTs for false flag purposes. Regardless, the level of sophistication points to a well-resourced adversary.

Broader Impact and Implications

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware

The emergence of JINX-0164 and its successful campaigns carry significant implications for the cybersecurity landscape, particularly within the cryptocurrency and software development sectors:

  • Heightened Risk for Cryptocurrency Organizations: The financial motivation behind these attacks, coupled with the high value of digital assets, makes cryptocurrency firms prime targets. The sophistication of JINX-0164’s methods means that even organizations with robust security postures must remain extremely vigilant.
  • Evolving Threat to macOS Ecosystems: macOS, often perceived as more secure than other operating systems, is increasingly becoming a target for advanced threat actors. The development of architecture-aware macOS malware like AUDIOFIX demonstrates a dedicated effort to exploit this platform.
  • Critical Vulnerabilities in Supply Chains: The compromise of the @velora-dex/sdk npm package serves as a stark reminder of the inherent vulnerabilities in software supply chains. A single compromised component can have a ripple effect, impacting countless developers and end-users. Organizations relying on third-party libraries and tools must implement stringent vetting and monitoring processes.
  • The Human Element Remains Key: Despite technical advancements in cybersecurity, social engineering continues to be a highly effective initial vector. The success of recruitment-themed lures highlights the need for continuous security awareness training, particularly for employees with privileged access.
  • Challenges in Attribution: The careful operational security and potential mimicry of TTPs make definitive attribution challenging. This ambiguity can hinder collaborative defense efforts and diplomatic responses.
  • The Cost of Compromise: Beyond direct financial losses from stolen cryptocurrencies, a successful supply chain attack can lead to reputational damage, loss of intellectual property, and significant costs associated with incident response, remediation, and potential regulatory fines.

Mitigation and Prevention Strategies

To counter sophisticated threats like JINX-0164, organizations and individuals must adopt a multi-layered security approach:

  • Enhanced Social Engineering Training: Regularly educate employees, especially developers and those with high-value access, on the latest social engineering tactics, including recruitment scams and credential phishing. Emphasize verification protocols for unsolicited job offers or meeting invitations.
  • Robust Endpoint Detection and Response (EDR): Deploy and maintain advanced EDR solutions on all endpoints, particularly macOS devices, to detect and respond to anomalous activities and the execution of suspicious scripts or payloads.
  • Strict Access Controls and Least Privilege: Implement the principle of least privilege, ensuring that employees only have access to the resources absolutely necessary for their roles. Enforce strong multi-factor authentication (MFA) for all critical systems and accounts.
  • CI/CD Pipeline Security: Secure development and build pipelines through rigorous code review, static and dynamic application security testing (SAST/DAST), and integrity checks for all third-party dependencies. Implement automated security scans for newly introduced code.
  • Supply Chain Risk Management: Vet all third-party software, libraries, and components thoroughly. Utilize software bill of materials (SBOMs) to track dependencies and monitor for known vulnerabilities. Isolate development environments from production where possible.
  • Network Segmentation: Segment networks to limit lateral movement in case of a breach. Isolate critical systems and development infrastructure from general user networks.
  • Regular Security Audits and Penetration Testing: Conduct frequent security audits and penetration tests to identify weaknesses in systems, applications, and human processes.
  • Proactive Threat Intelligence: Stay informed about emerging threats, TTPs, and indicators of compromise (IoCs) from reputable cybersecurity research firms like Wiz.

The campaign by JINX-0164 serves as a critical reminder that the digital asset landscape remains a high-stakes arena for cybercriminals. The blend of sophisticated social engineering, bespoke malware, and strategic targeting of development infrastructure highlights the urgent need for comprehensive and adaptive cybersecurity defenses across the industry. As the cryptocurrency sector continues to grow, so too will the ingenuity and persistence of those seeking to exploit its vulnerabilities.

Cybersecurity & Digital Privacy

Leave a Reply

Your email address will not be published. Required fields are marked *