Security researchers at Wiz have identified a new, financially motivated threat actor, dubbed JINX-0164, that specializes in targeting developers at cryptocurrency firms with custom macOS malware. Active since at least mid-2025, the group employs a multi-stage attack that begins with sophisticated social engineering on professional networks like LinkedIn. Victims are tricked into downloading what appears to be a meeting client, which instead deploys a custom Python-based infostealer and Remote Access Trojan (RAT) named AUDIOFIX. JINX-0164 has also demonstrated supply chain attack capabilities, previously distributing a Go-based backdoor called MiniRAT through a malicious version of a legitimate npm package. The ultimate goal is the theft of digital assets by compromising developer machines and CI/CD pipelines.
The attack chain used by JINX-0164 is well-orchestrated and tailored to its targets:
T1589 - Gather Victim Identity Information): The actor identifies developers at crypto firms on LinkedIn and initiates contact with fake job offers or meeting requests.T1566.002 - Phishing: Spearphishing Link): The target is directed to a malicious domain impersonating a legitimate service (e.g., apple.driver-store[.]com).T1204.002 - User Execution: Malicious File): The user is tricked into downloading and running a malicious file disguised as a meeting client. This file is a bash script.T1105 - Ingress Tool Transfer): The initial bash script downloads the main payload, the AUDIOFIX malware, from the attacker-controlled domain.T1195.002 - Compromise Software Supply Chain: Compromise Software Dependencies): In a separate TTP, the actor compromised the @velora-dex/sdk npm package to distribute the MiniRAT backdoor, showing a higher level of sophistication.While some TTPs, like targeting crypto developers and using VPN services, are similar to North Korean APT groups like BlueNoroff, researchers have not found sufficient evidence to attribute JINX-0164 to them at this time.
JINX-0164 poses a significant threat to the cryptocurrency ecosystem. By specifically targeting developers and their CI/CD infrastructure, the group aims to compromise systems at the heart of digital asset management. A successful attack could lead to:
domainapple.driver-store[.]compackage_name@velora-dex/sdkapple.driver-store[.]com at the network perimeter.M1017 - User Training): Educate employees, especially developers, about the specific social engineering tactics used by groups like JINX-0164.JINX-0164's supply chain attack escalated with the compromise of npm package `@velora-dex/sdk` version 4.9.1 on April 7, 2026. The actor is now confirmed as a distinct, financially motivated criminal entity, clarifying previous attribution. New technical details and hunting hints for macOS persistence and command line patterns are also provided.
New intelligence confirms that JINX-0164's supply chain attack specifically involved the compromise of the npm package @velora-dex/sdk version 4.9.1, which was trojanized on April 7, 2026, to distribute the MINIRAT backdoor. This represents a significant escalation, shifting the attack from individuals to potentially wider developer communities. Attribution has been clarified, with JINX-0164 now assessed as a distinct, financially motivated criminal entity, moving away from previous speculative links to North Korean APTs. Additional technical details include AUDIOFIX's use of launchctl for persistence and new hunting hints for macOS EDR and command line patterns, enhancing detection capabilities.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.