top of page
perceptive_background_267k.jpg

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware

Published:

28 mei 2026 om 07:54:48

Alert date:

28 mei 2026 om 09:01:17

Source:

thehackernews.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware, Data Breach & Exfiltration, Supply Chain & Dependencies

A previously undocumented threat actor designated JINX-0164 has launched sophisticated campaigns targeting cryptocurrency organizations. The attacks utilize fake recruitment-themed social engineering tactics and custom macOS malware designed to facilitate digital asset theft. The campaigns demonstrate advanced techniques including deep targeting of CI/CD infrastructure and bespoke malware development specifically for macOS environments. The threat actor appears to focus exclusively on cryptocurrency firms, suggesting specialized knowledge of the digital asset ecosystem.

Technical details

JINX-0164 uses sophisticated social engineering with LinkedIn profiles to approach victims offering virtual meetings. Victims are directed to rogue domains masquerading as teleconference providers and tricked into downloading malware. The attack chain involves a bash script that downloads a Python-based macOS infostealer and RAT called AUDIOFIX from apple.driver-store[.]com. The payload is architecture-aware, compatible with Intel and Apple Silicon, masquerades as coreaudiod but saved as ChromeUpdater, and executed via launchctl. AUDIOFIX steals sensitive data and enables lateral movement to CI/CD infrastructure. The group also distributes MiniRAT, a Go-based backdoor, through compromised npm packages like @velora-dex/sdk.

Mitigation steps:

Monitor for suspicious LinkedIn recruitment approaches, be cautious of virtual meeting invites from unknown sources, implement endpoint detection for unusual launchctl activities, monitor CI/CD infrastructure for unauthorized access, check for compromised npm packages in development environments, and implement supply chain security measures for software dependencies.

Affected products:

macOS (Intel and Apple Silicon)
@velora-dex/sdk npm package
VeloraDEX decentralized exchange platform

Related links:

https://www.wiz.io/blog/threat-actors-target-crypto-orgs
https://thehackernews.com/2026/04/threatsday-bulletin-290m-defi-hack.html#supply-chain-malware-surge
https://github.com/VeloraDEX/sdk
https://www.stepsecurity.io/blog/velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-launchctl-persistence
https://www.iru.com/blog/minirat
https://thehackernews.com/2025/06/bluenoroff-deepfake-zoom-scam-hits.html
https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html

Related CVE's:

Related threat actors:

IOC's:

apple.driver-store[.]com, ChromeUpdater, coreaudiod, AUDIOFIX malware, MiniRAT backdoor, @velora-dex/sdk compromised package

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page