Full Report
Wiz Research identified an active threat campaign targeting cryptocurrency organizations and software development infrastructure through social engineering, malicious meeting lures, and supply chain compromise activity. The campaign leveraged fake business interactions and tro...
Analysis Summary
# Threat Actor: JINX-0164
## Attribution & Identity
**JINX-0164** is a sophisticated threat actor suspected of being state-sponsored or a highly organized cybercriminal syndicate. While the provided data does not explicitly link them to a specific nation-state, their focus on cryptocurrency infrastructure and CI/CD supply chain compromise mirrors activities frequently associated with North Korean (DPRK) nexus actors.
## Activity Summary
The actor is currently engaged in a campaign targeting cryptocurrency organizations and software development environments. The operation utilizes complex social engineering, including fake recruitment and business outreach, to deliver trojanized meeting software. Once an endpoint is compromised, the actor moves laterally into cloud environments and CI/CD pipelines to achieve long-term persistence and data exfiltration.
## Tactics, Techniques & Procedures
The actor employs a multi-stage attack chain focused on end-user compromise and supply chain injection:
* **Social Engineering:** Impersonating recruiters and business partners to establish trust.
* **Phishing (T1566):** Delivering malicious meeting lures and fake platform invitations.
* **Credential Theft (T1003):** Harvesting browser credentials, cloud tokens, and SSH keys.
* **CI/CD System Enumeration (T1592):** Identifying internal development workflows and repository structures.
* **Script Injection into CI/CD Workflow (T1554):** Attempting to modify GitHub Actions and pipeline secrets directly from compromised developer endpoints.
* **Evasion:** Heavy use of VPNs and residential proxy networks to mask the origin of malicious traffic.
## Targeting
* **Sectors:** Cryptocurrency, Financial Technology (FinTech), and Software Development (specifically CI/CD infrastructure).
* **Geography:** Global (targeting victims based on industry profile rather than region).
* **Victims:** Cryptocurrency organizations and software developers with access to cloud-based repositories.
## Tools & Infrastructure
### Malware Families
* **AUDIODFX:** An information stealer designed to harvest sensitive data from browsers, wallets, and system configurations.
* **MINIRAT:** A backdoor used for remote command execution and maintaining persistent access to the infected host.
* **Malicious npm Packages:** Used for supply chain compromise and execution within developer environments.
### Infrastructure
* **Malicious Meeting Platforms:** Fake domains used to host and deliver trojanized installers (e.g., hxxps[://]fake-meeting-platform[.]com).
* **Residential Proxies:** Used to obscure C2 communications and administrative logins to stolen accounts.
* **Defanged URLs/Paths:**
* `hxxps[://]www[.]wiz[.]io/blog/threat-actors-target-crypto-orgs`
* Stolen credentials used to access `github[.]com`
## Implications
JINX-0164 represents a significant risk to the software supply chain. By targeting the "source" of development (the developer's local machine and CI/CD secrets), they can bypass production security controls. Their ability to pivot from a single endpoint compromise to a full cloud infrastructure or CI/CD takeover indicates a high level of operational maturity.
## Mitigations
* **CI/CD Security:** Implement "least privilege" for GitHub Actions and CI/CD secrets; rotate secrets immediately if an endpoint compromise is suspected.
* **Endpoint Hardening:** Restrict the installation of unverified communication or meeting software and monitor for unauthorized npm package installations.
* **Identity Management:** Enforce hardware-based Multi-Factor Authentication (MFA) to prevent session hijacking and credential reuse.
* **Network Monitoring:** Audit logs for unusual login origins (residential proxies/VPNs) targeting sensitive development repositories.
* **Employee Awareness:** Train developers on the risks of social engineering via professional networking sites and the dangers of "meeting lures."