JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware  Ravie Lakshmanan  May 28, 2026 Supply Chain Attack / Malware A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware. "These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read said . "The used methods enabled the threat actor to move laterally from compromised employee laptops to code distribution systems and development infrastructure." The Google-owned cloud security company is tracking the activity under the moniker JINX-0164 . The threat actor is assessed to be active since at least mid-2025 and motivated by financial gain, targeting developers through recruitment-themed and other social engineering techniques to siphon cryptocurrencies. In at least one case, the adversary is said to have carried out a supply chain attack. In the attack chain documented by Wiz, JINX-0164 has been found to leverage credible LinkedIn profiles to approach victims and offer a virtual meeting. The meeting invite is designed to steer the target to a rogue domain that masquerades as a teleconference provider. From there, victims are tricked into downloading and installing the program. This, in turn, triggers the retrieval of a Python-based macOS infostealer and remote access trojan codenamed AUDIOFIX using a bash script hosted on a fake driver store domain ("apple.driver-store[.]com"). "The [bash] script downloaded an architecture-aware payload from the same domain, compatible with both Intel and Apple Silicon systems. The payload masquerades as a system audio driver named coreaudiod, was saved as ChromeUpdater, and was executed via launchctl," Wiz said. The Python malware is then leveraged to steal sensitive data from the compromised endpoint, laterally move to internal code distribution systems and development infrastructure by injecting the AUDIOFIX payload, and modify source code in an attempt to compromise other endpoints and steal cryptocurrency wallet credentials. The captured data includes credentials from password managers, web browsers, and iCloud Keychain files; local admin credentials; SSH keys; configuration files; console history files; cryptocurrency browser extensions information; cryptocurrency wallet addresses; and active Discord, Slack, and Telegram sessions. Besides information theft, AUDIOFIX supports several commands that allow manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval from an external server. JINX-0164 has also been observed targeting software developers by impersonating recruiters, while employing the same social engineering technique: using the job opportunity to set up a meeting that displays a fake technical error and instructs the victim to download a "fix" that leads to malware installation. Another key component of the threat actor's arsenal is MiniRAT, a Go-based backdoor that was previously distributed via a compromised version of an npm package named @velora-dex/sdk , a legitimate DeFi toolkit used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange platform. Per details shared by SafeDep and StepSecurity last month, the poisoned version downloaded a shell script from a remote server, which then delivered an macOS-specific binary called MiniRAT . The malware is equipped to upload files, run arbitrary shell commands, and fetch additional payloads or tools from attacker-controlled domains. It's worth noting that some aspects of the campaign, coupled with the use of VPN services like Astrill VPN and the focus on cryptocurrency and developers, are reminiscent of those used by multiple North Korean threat clusters such as BlueNoroff , Contagious Interview , and UNC1069 . However, Wiz said there are no infrastructure overlaps connecting JINX-0164 to Pyongyang at this stage. "Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups," Wiz said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  cryptocurrency , cybersecurity , Infostealer , MacOS , Malware , NPM , Remote Access Trojan , Social Engineering , Supply Chain Attack ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure