Back

New Threat Actor JINX-0164 Targets Cryptocurrency Organizations

Severity: High (Score: 70.5)

Sources: www.wiz.io, Infosecurity-Magazine

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: threat, actor, targeting, cryptocurrency, actors, target, crypto

Summary

A new threat actor, JINX-0164, has been identified targeting cryptocurrency firms using custom macOS malware and social engineering tactics. Active since mid-2025, the group employs fake recruiter approaches to gain initial access. Victims are invited to virtual meetings on lookalike domains, where malware is installed under the guise of a technical fix. The malware, named Audiofix, is capable of stealing sensitive information such as credentials and cryptocurrency wallet details. JINX-0164 has also hijacked internal development pipelines, injecting malicious code into repositories, leading to further infections. The group has been linked to multiple incidents, including the trojanization of npm packages. Security experts recommend monitoring for specific indicators of compromise and enhancing logging practices. The threat remains active as of May 2026. Key Points: • JINX-0164 targets cryptocurrency organizations using sophisticated social engineering. • The group employs custom macOS malware named Audiofix to steal sensitive credentials. • Infections spread through compromised development pipelines and trojanized npm packages.

Detailed Analysis

**Impact** Cryptocurrency organizations and developers have been targeted, with intrusions affecting internal code distribution systems and development infrastructure. The threat actor compromised source code repositories, leading to supply chain risks and potential theft of cryptocurrency wallet credentials. The scope includes multiple organizations active since mid-2025, with at least one supply chain attack impacting a widely used npm package. The financial sector focused on crypto assets is primarily affected, with no specific geographic concentration reported. **Technical Details** Initial access was gained through social engineering on LinkedIn, using credible or fabricated recruiter profiles to invite victims to virtual meetings hosted on lookalike domains. The payload, AUDIOFIX, is a Python-based macOS infostealer and RAT masquerading as a system audio driver, targeting Intel and Apple Silicon architectures. The actor used stolen credentials and GitHub tokens to move laterally into CI/CD pipelines, injecting malicious code into internal repositories and npm packages, propagating via poisoned builds. VPN services including Mullvad, Astrill, and ExpressVPN were used to mask C2 traffic. Key IOCs include the fake domain apple.driver-store[.]com, use of launchctl to execute malware, and the presence of XOR-encoded passwords in ~/.zsh_cache. **Recommended Response** Monitor for unusual VPN usage, particularly Mullvad, Astrill, and ExpressVPN, and enable GitHub IP logging and Vigilant Mode to detect unverified commits. Treat all unverified or suspicious commits as potential compromise and audit CI/CD workflows for unauthorized secret exfiltration. Block known malicious domains such as apple.driver-store[.]com and monitor for execution of suspicious launchctl tasks. Increase scrutiny on recruitment-themed social engineering attempts on professional networks and enforce multi-factor authentication on developer endpoints and code repositories.

Source articles (2)

  • New Threat Actor Jinx — Infosecurity-Magazine · 2026-05-28
    A previously unreported threat actor has been observed targeting cryptocurrency firms with custom macOS malware, fake recruiter approaches and the hijacking of internal development pipelines. Wiz has…
  • Threat Actors Target Crypto Orgs — www.wiz.io · 2026-05-28
    The Wiz Customer Incident Response Team (CIRT) has investigated multiple intrusions targeting cryptocurrency organizations. These campaigns leveraged sophisticated social engineering techniques, custo…

Timeline

  • 2025-04-07 — Trojanized npm package discovered: Version 4.9.1 of @velora-dex/sdk was found to include malicious code fetching a backdoor.
  • 2026-05-28 — Public disclosure of JINX-0164 activities: Wiz published findings detailing the attack methods and tools used by JINX-0164 targeting crypto firms.
  • Recent — JINX-0164 identified by Wiz: Wiz's analysis attributed multiple attacks to the previously unreported actor JINX-0164, active since mid-2025.

Related entities

  • Jinx-0164 (Apt Group)
  • Sapphire Sleet (Apt Group)
  • Sleet (Apt Group)
  • Slow Pisces (Apt Group)
  • UNC1069 (Apt Group)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Bitget (Company)
  • North Korea (Country)
  • actors.in (Domain)
  • alibaba.xyz (Domain)
  • annex.in (Domain)
  • apple.driver-hub.net (Domain)
  • apple.driver-store.com (Domain)
  • apple.driver-update.io (Domain)
  • apple.drvstore.com (Domain)
  • app.us03-slack.online (Domain)
  • bitget-meeting.com (Domain)
  • byte-io.us (Domain)
  • cirt.in (Domain)
  • cloud-sync.online (Domain)
  • company-group.us03-slack.online (Domain)
  • driver-hub.net (Domain)
  • driver-store.com (Domain)
  • driver-update.io (Domain)
  • driver-updater.net (Domain)
  • drvstore.com (Domain)
  • learn.bitget-meeting.com (Domain)
  • learn.teamicrosoft.com (Domain)
  • learn.teams.us.org (Domain)
  • live.org.mx (Domain)
  • live.us.org (Domain)
  • login.bitget-meeting.com (Domain)
  • login.teamicrosoft.com (Domain)
  • resource.bitget-meeting.com (Domain)
  • resource.teamicrosoft.com (Domain)
  • sitemaps.driver-store.com (Domain)
  • teamicrosoft.com (Domain)
  • team.live.us.org (Domain)
  • teams.live.org.mx (Domain)
  • teams.live.us.org (Domain)
  • teams.us.org (Domain)
  • us03-slack.online (Domain)
  • windows.driver-hub.net (Domain)
  • windows.driver-store.com (Domain)
  • windows.driver-update.io (Domain)
  • windows.drvstore.com (Domain)
  • www.bitget-meeting.com (Domain)
  • www.driver-hub.net (Domain)
  • www.driver-store.com (Domain)
  • www.driver-update.io (Domain)
  • www.driver-updater.net (Domain)
  • www.drvstore.com (Domain)
  • www.live.us.org (Domain)
  • www.teamicrosoft.com (Domain)
  • www.us03-slack.online (Domain)
  • Financial (Industry)
  • 163.172.53.20 (Ipv4)
  • 185.100.85.250 (Ipv4)
  • 185.100.85.98 (Ipv4)
  • 84.32.83.250 (Ipv4)
  • Audiofix (Malware)
  • Minirat (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1059.004 - Unix Shell (Mitre Attack)
  • T1071.001 - Web Protocols (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Discord (Platform)
  • GitHub (Platform)
  • MacOS (Platform)
  • Slack (Platform)
  • Telegram (Platform)
  • Dropbox (Tool)
  • Microsoft Teams (Tool)
  • Npm (Tool)
  • Astrill (Tool)
  • Astrill VPN (Tool)
  • ExpressVPN (Tool)
  • Mullvad VPN (Tool)
  • Nord-stream (Tool)
  • 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 (Sha256)
  • 9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed