A previously undocumented threat actor has targeted cryptocurrency organizations since at least mid-2025 in a campaign that used recruitment-themed social engineering, custom macOS malware and CI/CD compromise to try to steal digital assets, according to a technical analysis by Wiz.
KEY FACTS
- Actor Wiz tracks the activity as JINX-0164.
- Targeting Victims included cryptocurrency organizations and software developers.
- Malware The campaign used a Python-based infostealer and remote access trojan called AUDIOFIX.
- Supply chain In one case, the attackers modified source code and used a compromised npm package linked to MiniRAT.
The report says the attackers used credible LinkedIn profiles to contact targets and set up virtual meetings. The meeting invites redirected victims to a rogue domain posing as a teleconference service, then pushed them to download a fake meeting client.
That download led to a bash script hosted on a counterfeit driver site that retrieved a macOS payload disguised as a system audio driver. The payload was saved as ChromeUpdater and launched through launchctl on both Intel and Apple Silicon systems.
Once installed, AUDIOFIX could steal data from password managers, browsers and iCloud Keychain files, along with SSH keys, configuration files, console history, cryptocurrency wallet information and active Discord, Slack and Telegram sessions. It also supported reconnaissance, file deletion, shell command execution and additional payload downloads.
In separate activity, the same group impersonated recruiters and lured developers into fixing a fake technical error during an interview, the disclosure said. A poisoned npm package tied to MiniRAT later delivered a backdoor that could upload files, run commands and fetch more tools from attacker-controlled servers.
The report says some elements resemble tactics used by North Korea-linked groups, but Wiz said it found no infrastructure overlaps that would connect JINX-0164 to Pyongyang. It also said the campaign used VPN services including Astrill VPN.
WHY IT MATTERS
The campaign shows how social engineering, malware and software supply chain abuse can be combined to reach both employee devices and internal development systems. For crypto firms and developers, that raises the risk of credential theft, code tampering and broader compromise across connected systems.