A new threat actor tracked as JINX-0164 has been running calculated attacks against cryptocurrency organizations, using LinkedIn profiles to lure developers into downloading custom macOS malware.
Active since at least mid-2025, the group has combined social engineering, credential theft, and supply chain sabotage into a seamless operation that puts the entire software development pipeline at risk.
The attacks begin with a convincingly crafted LinkedIn profile reaching out to targets under the guise of a business opportunity or a job offer.
Once trust is established, victims receive a meeting invitation linked to a fake conferencing platform page designed to look like Microsoft Teams or similar services.
Clicking the link triggers the download of a macOS-specific remote access tool that silently begins stealing sensitive data from the moment it runs.
Researchers at Wiz.io identified and named the threat cluster JINX-0164 after investigating multiple intrusions targeting cryptocurrency companies.
Wiz CIRT and Wiz Research said in a report shared with Cyber Security News that this actor is financially motivated and has been deploying two distinct malware families, AUDIOFIX and MINIRAT, with a clear focus on macOS devices.
AUDIOFIX is a compiled Python-based infostealer and backdoor that harvests browser credentials, cryptocurrency wallet extensions, SSH keys, cloud API tokens, and even clipboard data in real time.
Attack Chain (Source – Wiz.io)
It communicates with its command-and-control server over encrypted HTTPS, using AES-256-CBC encryption, and can quietly switch to randomized polling intervals to avoid detection.
The malware also targets active sessions on communication platforms like Discord, Slack, and Telegram, giving attackers a wide view into a victim’s digital life.
The threat actor masked their network activity by routing connections through commercial VPN services, making attribution harder.
To further cover their tracks, they tampered with Git commit metadata to impersonate legitimate developers and pushed malicious code directly into internal repositories, turning the organization’s own development infrastructure into a delivery mechanism for further infections.
JINX-0164 Threat Actor Using LinkedIn Social Engineering
The attack chain unfolded over a two-week period in one documented case, moving from a LinkedIn message to full infrastructure compromise.
Once a developer clicked the fake meeting link, AUDIOFIX was downloaded via a bash dropper script hosted on a fake driver update domain.
The payload disguised itself as a system audio component named coreaudiod and was saved as ChromeUpdater, launched through launchctl to establish persistence.
After gaining a foothold, the malware harvested credentials from macOS Keychain, browsers, and cloud configuration files, including AWS, GCP, and Azure keys, as well as Cloudflare API tokens.
GitHub tokens were then used to exfiltrate secrets from CI/CD pipelines using an open-source tool called nord-stream. The attacker pushed infected code into shared repositories, which then spread AUDIOFIX to every developer who pulled and built from those branches.
Supply Chain Attack via Trojanized npm Package
On April 7, 2026, JINX-0164 escalated by targeting the broader software supply chain. The group quietly modified version 4.9.1 of the npm package @velora-dex/sdk, a widely used cryptocurrency SDK, appending code that would download and execute a shell script whenever the package was imported by any project.
That shell script delivered MINIRAT, a lightweight Go-based backdoor that registers infected machines with the same command-and-control infrastructure used by AUDIOFIX.
Although MINIRAT does not perform the same broad automated data theft, it provides operators with persistent remote access and the ability to execute commands and move files.
Only npm credentials were compromised in this incident, as the source code on GitHub remained unmodified.
Organizations are advised to deploy an Endpoint Detection and Response solution and enable audit logging across all cloud platforms and version control systems by default.
Security teams should watch for unverified commits in GitHub, unexpected VPN usage from providers like ExpressVPN, Astrill VPN, and Mullvad VPN, and any anomalous workflow activity in CI/CD pipelines.
Enabling GitHub Vigilant Mode can help surface developer impersonation attempts through unsigned or mismatched commits. Teams should also monitor for the use of nord-stream and flag any new code package publications originating from unfamiliar IP addresses.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSHA-2560a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270MINIRAT ARM64SHA-2560b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba10875f5MINIRAT x86_64SHA-256a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf7dMINIRAT ARM64 (variant)SHA-25665cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c7a8b4AUDIOFIX HTTPS/ARM64SHA-2560b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5e3aAUDIOFIX HTTPS/x86_64SHA-256e8ee6f5145c9d503c5130bfc6585567f6e19d409158c3c0ca0b259f1875b1a2fAUDIOFIX Dropbox/ARM64SHA-2563e3901519c2305fbe9d5483b7234c25c6d2b562512916481d96f26b849c7d4e1AUDIOFIX Dropbox/x86_64SHA-2569c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157aDropper – Fake audio fix (apple.driver-store.com)SHA-256402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0e4a3c91Dropper – Fake audio fix (apple.driver-update.io)SHA-256b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb4f2d89Dropper – Fake audio fix (driver-updater.net)SHA-256d4e863f9818bfb2f1dd932df6441dff204e6142c3bdb55b298cb08dc7b6a9f12Dropper – Fake Chrome update (apple.driver-store.com)SHA-256c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a0b3Dropper – Supply chain (89.36.224.5)SHA-2562a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb339f4d5cDropper – Supply chain (89.36.224.5, variant)Domaindatahub[.]inkPrimary C2 domain (resolves to 208.115.220.17 / 185.175.59.85)Domaincloud-sync[.]onlineBackup C2 domainDomainbyte-io[.]usBackup C2 domainDomainapple[.]driver-store[.]comPayload delivery domainDomainapple[.]driver-update[.]ioPayload delivery domainDomaindriver-updater[.]netPayload delivery domainDomaindriver-hub[.]netPayload delivery domainDomaindrvstore[.]comPayload delivery domainDomainbitget-meeting[.]comMeeting spoofing domainDomainteamicrosoft[.]comMeeting spoofing domain (Teams impersonation)Domainteams[.]camMeeting spoofing domainDomainlive[.]us[.]orgMeeting spoofing domainDomainus03-slack[.]onlineMeeting spoofing domain (Slack impersonation)Domainlive[.]ongMeeting spoofing domainIP Address89[.]36[.]224[.]5Payload delivery serverIP Address185[.]100[.]85[.]250Meeting spoofing infrastructureIP Address84[.]32[.]83[.]250Meeting spoofing / payload delivery infrastructureIP Address153[.]92[.]126[.]84Meeting spoofing infrastructureIP Address45[.]45[.]217[.]242Meeting spoofing infrastructureIP Address163[.]172[.]53[.]20Meeting spoofing / payload delivery infrastructureIP Address208[.]115[.]220[.]17C2 server (datahub.ink)IP Address185[.]175[.]59[.]85C2 server (datahub.ink)File Path~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plistPersistence mechanism (Python RAT)File Path~/Library/LaunchAgents/io.aircall.workspace.helper.plistPersistence mechanism (Python RAT)File Path~/Library/LaunchAgents/com.apple.Terminal.profiler.plistPersistence mechanism (MINIRAT)File Path~/.zsh_cacheXOR-encoded stolen macOS passwordFile Path/helper.logMalware activity logFile Path/tokens.txtExfiltrated Discord tokensFile Path/clipClipboard capture logFile NameChromeUpdaterAUDIOFIX payload saved under this nameFile NamecoreaudiodPayload masquerading as system audio drivernpm Package@velora-dex/sdk v4.9.1Trojanized npm package used in supply chain attackAES Keyv59l2uwlow9s1ebuscgfg9k9r4voxkbsShared AES key found in both AUDIOFIX and MINIRAT samplesGit Committernord-stream / nord-stream@localhost.comDeveloper impersonation indicators in malicious commitsBranch Namedev_remote_ea5Eu/test/v1Branch used by nord-stream during secret exfiltration
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post JINX-0164 Threat Actor Using LinkedIn Social Engineering to Deploy Custom macOS Malware appeared first on Cyber Security News.
