- A new financially motivated threat actor, tracked as JINX-0164, is actively targeting cryptocurrency organizations with sophisticated social engineering and custom macOS malware.
- The campaign uses fake job offers and meeting invites to trick developers into installing an infostealer called AUDIOFIX, which steals credentials, SSH keys, and cryptocurrency wallet data.
- The attacker has also executed a supply chain attack by compromising a legitimate npm package, @velora-dex/sdk, to distribute a separate Go-based backdoor called MiniRAT.
- Researchers have noted similarities in tactics to North Korean hacking groups but have not found definitive infrastructure links connecting JINX-0164 to Pyongyang.
A previously unknown threat actor has been targeting cryptocurrency organizations since at least mid-2025, using recruitment-themed social engineering and custom macOS malware to steal digital assets, according to researchers from Wiz. The operation, designated JINX-0164, employs credible LinkedIn profiles to approach victims under the guise of a job opportunity.
The social engineering scheme leads to a fake teleconference website where victims download a malicious program. Consequently, a bash script fetches a Python-based infostealer and remote access trojan codenamed AUDIOFIX from a domain masquerading as an Apple driver store. “The payload masquerades as a system audio driver named coreaudiod,” Wiz explained.
This malware steals a wide range of sensitive data, including credentials from password managers, browser data, SSH keys, and active sessions for Discord and Telegram. Furthermore, AUDIOFIX allows the attacker to move laterally into internal development infrastructure and modify source code to compromise other systems.
In a parallel supply chain attack, the threat actor compromised the legitimate @velora-dex/sdk npm package. The poisoned version, as detailed by SafeDep and StepSecurity, delivered a Go-based backdoor called MiniRAT.
The campaign’s focus on cryptocurrency and use of specific VPN services echoes tactics of North Korean threat clusters like BlueNoroff. However, Wiz stated there are no current infrastructure overlaps definitively linking JINX-0164 to Pyongyang.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
