JINX-0164 Exploits LinkedIn to Deploy Custom macOS Malware in Cryptocurrency Sector
A newly identified cyber threat actor, designated as JINX-0164, has been orchestrating targeted attacks against cryptocurrency organizations by leveraging LinkedIn to distribute custom macOS malware. Active since at least mid-2025, this group employs a combination of social engineering, credential theft, and supply chain compromise to infiltrate and exploit software development environments.
Sophisticated Social Engineering via LinkedIn
The attack sequence initiates with JINX-0164 creating convincing LinkedIn profiles that pose as recruiters or business partners. These profiles reach out to developers and other professionals within the cryptocurrency sector, offering enticing job opportunities or collaborative ventures. Once a rapport is established, the target is invited to a meeting via a link that directs them to a counterfeit conferencing platform resembling Microsoft Teams or similar services. Clicking this link triggers the download of a macOS-specific remote access tool, which, upon execution, begins exfiltrating sensitive data from the victim’s system.
Deployment of Custom macOS Malware
Researchers at Wiz.io have identified two distinct malware families utilized by JINX-0164: AUDIOFIX and MINIRAT, both specifically designed to target macOS devices.
– AUDIOFIX: This is a compiled Python-based infostealer and backdoor that harvests browser credentials, cryptocurrency wallet extensions, SSH keys, cloud API tokens, and clipboard data in real-time. It communicates with its command-and-control server over encrypted HTTPS, using AES-256-CBC encryption, and can adjust its polling intervals to evade detection. Additionally, AUDIOFIX targets active sessions on communication platforms like Discord, Slack, and Telegram, providing attackers with extensive access to the victim’s digital communications.
– MINIRAT: While specific details about MINIRAT are less documented, it is understood to function as a lightweight remote access trojan, facilitating further control and data exfiltration from compromised systems.
Advanced Evasion Techniques
JINX-0164 employs several sophisticated methods to mask their activities and complicate attribution:
– Use of Commercial VPN Services: By routing their network traffic through commercial VPNs, the attackers obscure their origin, making it challenging for investigators to trace their activities.
– Tampering with Git Commit Metadata: The group manipulates Git commit metadata to impersonate legitimate developers, allowing them to inject malicious code into internal repositories without raising immediate suspicion.
Supply Chain Compromise
One of the most concerning aspects of JINX-0164’s operations is their ability to compromise the software supply chain:
– Infection of Development Pipelines: After gaining access to a developer’s system, the attackers use stolen GitHub tokens to exfiltrate secrets from CI/CD pipelines. They then push infected code into shared repositories, which, when pulled and built by other developers, spreads the AUDIOFIX malware throughout the organization.
– Trojanized npm Packages: In some instances, JINX-0164 has been observed uploading malicious npm packages to public repositories. These packages, when incorporated into projects, serve as a vector for malware distribution, further extending the reach of their campaign.
Mitigation Strategies
To defend against such sophisticated attacks, organizations and individuals should adopt the following measures:
– Vigilant Verification: Scrutinize unsolicited communications on professional networking platforms. Verify the authenticity of profiles and the legitimacy of job offers or collaboration proposals.
– Secure Meeting Invitations: Be cautious of meeting invitations from unfamiliar sources, especially those that require downloading software or accessing unfamiliar platforms.
– Endpoint Security: Implement robust endpoint detection and response solutions capable of identifying and mitigating macOS-specific threats.
– Supply Chain Security: Regularly audit and monitor code repositories for unauthorized changes. Employ tools that can detect anomalies in commit histories and codebases.
– Credential Management: Utilize multi-factor authentication and regularly rotate access tokens and credentials to minimize the risk of unauthorized access.
Conclusion
The emergence of JINX-0164 underscores the evolving landscape of cyber threats targeting the cryptocurrency sector. By combining social engineering with advanced malware deployment and supply chain compromise, this group exemplifies the multifaceted nature of modern cyber attacks. Organizations must remain vigilant, continuously update their security protocols, and foster a culture of cybersecurity awareness to mitigate such threats effectively.
