A previously unreported threat actor is now under scrutiny for targeting cryptocurrency firms using sophisticated macOS malware, deceptive recruiter approaches, and the hijacking of internal development pipelines. This malicious activity has been identified and attributed to a financially motivated group that security firm Wiz has named Jinx-0164, following their recent analysis.
Operating since at least mid-2025, Jinx-0164 has made macOS its primary focus. The group employs tactics that bear resemblances to North Korean cyber operations, particularly those associated with UNC1069, also known as Sleet. However, although their methods resonate with established state-sponsored groups, Wiz has not found sufficient evidence to directly link Jinx-0164 to any state-sponsored operations, highlighting the independent and innovative strategies employed by the threat actor.
### The Methodology: Fake Meetings and Cloned Drivers
The modus operandi employed by Jinx-0164 often begins with the creation of a convincing façade on LinkedIn. The attacker poses as a legitimate business contact or recruiter, leveraging a credible profile to build trust. Progressing from this initial contact, the target is lured into a virtual meeting via a look-alike domain that mimics established platforms such as Microsoft Teams.
Once the victim joins the meeting, they are prompted to address a fabricated technical issue, which leads them to download and run a supposed “fix.” This unassuming action inadvertently installs malware named Audiofix, a Python-based stealer and remote access tool disguised as a system audio driver. This particular malware functions seamlessly on both Intel and Apple Silicon machines, allowing the actor to extract sensitive information from the victim’s computer.
Audiofix is designed to harvest a wide array of critical data including Keychain contents, browser credentials, SSH keys, cloud provider keys, and specifics from 51 different cryptocurrency wallet extensions. Furthermore, it has the capability to hijack sessions from popular communication platforms like Discord, Slack, and Telegram, while also monitoring clipboard activities for copied wallet addresses.
### Diversifying Targeting Approaches: From Laptops to Code Pipelines
Jinx-0164’s tactics extend beyond individual systems, targeting development infrastructures as well as personal laptops. Unlike many threat actors who focus on pivoting into cloud accounts, this group has innovatively turned the compromised GitHub tokens against their victims’ development environments. Utilizing an open-source tool named nord-stream, Jinx-0164 extracts sensitive secrets from Continuous Integration and Continuous Deployment (CI/CD) pipelines.
The group then injects Audiofix into the compromised internal repositories. By disguising their malicious commits under the names of other developers, they can push these harmful changes into main or existing branches of the codebase. This method transforms the build process into an infection channel; when colleagues construct software from these tainted repositories, their machines consequently become victimized too. The implementation of GitHub’s Vigilant Mode has been noted as a pivotal defense mechanism, which flags unverified commits and helps expose these impersonations to halt the escalated spread of the malware.
### Beyond Direct Intrusions: A Broader Cyber Offensive
The group’s operations did not stop at direct intrusions. On April 7, they exponentially broadened their reach by trojanizing version 4.9.1 of the npm package @velora-dex/sdk, a toolkit notably utilized in decentralized exchanges. By appending malicious code designed to fetch a secondary macOS backdoor dubbed MINIRAT, Jinx-0164 showcases the adaptability and breadth of its evolving cyber offensive.
The recruitment-themed lure has been effectively utilized by various groups in the crypto sphere, echoing past campaigns conducted by organizations such as Slow Pisces. The appeal of targeting cryptocurrency firms lies in the lucrative nature of the assets involved, making this an alluring space for financially motivated cybercriminals.
### Recommendations for Defending Against Jinx-0164
In light of these revelations, Wiz has issued crucial warnings to cybersecurity defenders. Vigilance is essential, with an emphasis on monitoring published indicators of compromise, unexpected use of VPN services such as Mullvad, Astrill, and ExpressVPN, and unauthorized exfiltration of secrets from CI/CD workflows.
Moreover, Wiz recommends enabling logging features—such as GitHub IP logging—that are typically off by default, as well as approaching unverified commits with suspicion. These proactive measures can be pivotal in safeguarding against the evolving threats posed by groups like Jinx-0164, emphasizing the importance of a robust cybersecurity posture in the ever-changing digital landscape.
This ongoing investigation into Jinx-0164 serves as a stark reminder of the persistent vulnerabilities within the cryptocurrency sector and the innovative methods employed by malicious actors. Vigilance and ongoing adaptation will be critical in countering these threats.