Full Report
A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware. "These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal,
Analysis Summary
# Threat Actor: JINX-0164
## Attribution & Identity
- **Name/Alias:** JINX-0164
- **Identity:** A previously undocumented threat actor, identified by Wiz researchers in May 2026.
- **Known Associations:** Displays tactical overlaps (VPN usage, financial motivation, targeting) with North Korean threat clusters, including **BlueNoroff**, **Contagious Interview**, and **UNC1069**.
## Activity Summary
JINX-0164 has been active since at least mid-2025. The group specializes in sophisticated social engineering campaigns targeting the cryptocurrency sector. Their primary method involves posing as recruiters on LinkedIn to lure developers into downloading bespoke macOS malware. Notably, the group has successfully executed supply chain attacks by poisoning legitimate DeFi software packages to compromise development environments and CI/CD infrastructure.
## Tactics, Techniques & Procedures
- **Social Engineering:** Leveraging credible LinkedIn profiles; impersonating recruiters; using recruitment-themed lures (fake job interviews/technical tests).
- **Phishing/Luring:** Directing victims to rogue domains masquerading as teleconferencing providers or technical support sites.
- **Execution:** Use of bash scripts and `launchctl` for persistence.
- **Lateral Movement:** Injecting payloads to move from employee laptops to internal code distribution systems and CI/CD development infrastructure.
- **Data Theft:** Stealing credentials from password managers, browsers, iCloud Keychain, SSH keys, and active sessions (Slack, Discord, Telegram).
- **Supply Chain Compromise:** Injecting malicious code into legitimate npm packages.
## Targeting
- **Sectors:** Cryptocurrency, Decentralized Finance (DeFi), Software Development.
- **Geography:** Global (targeting decentralized organizations).
- **Victims:** Individual software developers and cryptocurrency organizations (e.g., users of the VeloraDEX platform).
## Tools & Infrastructure
- **Malware Families:**
- **AUDIOFIX:** A Python-based infostealer and Remote Access Trojan (RAT) for macOS.
- **MiniRAT:** A Go-based backdoor used for file exfiltration and arbitrary command execution.
- **Infrastructure:**
- `apple.driver-store[.]com` (Fake driver/malware host)
- Fake teleconferencing domains
- Use of VPN services (e.g., Astrill VPN) to mask origin.
- **Poisoned Packages:** `@velora-dex/sdk` (found on npm).
## Implications
JINX-0164 represents a high-tier financial threat specifically targeting the macOS ecosystem, which is often less scrutinized in enterprise security than Windows. By targeting CI/CD pipelines and developers, the actor gains the ability to "poison the well," potentially compromising the customers of the organizations they breach. This shift from simple wallet theft to deep infrastructure compromise indicates a highly mature operational capability.
## Mitigations
- **Endpoint Security:** Deploy robust Endpoint Detection and Response (EDR) solutions specifically configured for macOS to monitor for suspicious `launchctl` activity or unauthorized Python/Go execution.
- **CI/CD Security:** Implement strict integrity checks for build environments and require multi-party approval for changes to production code.
- **Supply Chain Defense:** Use software composition analysis (SCA) tools to monitor for "typosquatting" or version-jumping in dependencies like npm packages.
- **Security Awareness:** Educate developers on the risks of recruitment-themed social engineering; emphasize that legitimate recruiters will not require the installation of custom drivers or "fix" scripts for interview software.
- **Identity Management:** Enforce hardware-based MFA (e.g., FIDO2) to mitigate the impact of stolen session tokens and keychain files.