JINX-0164: The Orchestrated Targeting of Crypto-Development Pipelines

A sophisticated new threat actor, identified as JINX-0164, has emerged with a specialized focus on infiltrating cryptocurrency organizations. Unlike broad-spectrum cybercrime groups, this actor employs highly targeted social engineering via LinkedIn to bypass traditional perimeter defenses and strike directly at the heart of the software development lifecycle (SDLC).

Since mid-2025, JINX-0164 has demonstrated a high level of operational maturity. Their toolkit is not limited to generic malware; rather, it includes custom macOS payloads designed for cross-architecture compatibility, advanced credential harvesting, and the strategic abuse of CI/CD pipelines to facilitate lateral movement and asset exfiltration.

The Social Engineering Vector: High-Fidelity Impersonation

The campaign begins with a precision-engineered social engineering phase. Attackers utilize LinkedIn profiles that exhibit high degrees of credibility, featuring realistic professional histories and established networks. This makes distinguishing an adversary from a legitimate recruiter or business partner exceptionally difficult for even seasoned developers.

The attack chain typically follows this progression:

  • Initial Contact: A fraudulent meeting invitation is sent via LinkedIn messaging.
  • Domain Spoofing: Victims are redirected to malicious domains designed to mimic legitimate collaboration tools like Microsoft Teams.
  • Payload Delivery: The spoofed site prompts the user to download a “meeting client” or a “troubleshooting patch” to resolve supposed technical issues.

In one notable instance, the payload was delivered through a bash script hosted on a domain impersonating an official Apple driver portal, adding a layer of perceived legitimacy to the infection process.

Visual representation of the JINX-0164 attack chain.
The JINX-0164 Attack Chain (Source: Wiz)

Technical Analysis: AUDIOFIX and MINIRAT

Once the initial foothold is established, the actor deploys specialized malware. The primary payload, AUDIOFIX, is an architecture-aware binary compatible with both Intel and Apple Silicon (M-series) chips. It achieves persistence by masquerading as the legitimate coreaudiod system process and utilizing launchctl for execution.

AUDIOFIX functions as a dual-threat agent: an Infostealer and a Remote Access Trojan (RAT). It targets high-value assets including:

  • macOS Keychain credentials and browser-stored passwords.
  • SSH keys and cloud provider tokens (AWS, Azure, GCP).
  • Cryptocurrency wallet private keys and active session tokens for Slack, Discord, and Telegram.

According to research by Wiz, the group leverages these stolen tokens to move from the endpoint into the cloud infrastructure. By using specialized tools like nord-stream, they can extract secrets directly from GitHub Actions and other CI/CD environments.

Supply Chain Compromise

JINX-0164 has also demonstrated significant supply chain capabilities. In April 2026, they successfully compromised the @velora-dex/sdk npm package (version 4.9.1). This compromise involved injecting a malicious script that acted as a dropper for a secondary, lightweight Go-based backdoor known as MINIRAT. While AUDIOFIX focuses on deep system exploitation, MINIRAT is optimized for lightweight reconnaissance and command execution.

Evidence of malicious Git commit metadata.
Snippet of unverified commit information containing the malicious payload (Source: Wiz)

Strategic Intent: Infiltrating the Codebase

Perhaps the most dangerous aspect of JINX-0164 is their ability to turn a developer’s workstation into an internal infection vector. Rather than just stealing data, they attempt to poison the well. By gaining access to internal repositories, they use stealthy Git techniques—such as altering commit metadata or hijacking existing branches—to inject malicious code directly into the main branch.

As other developers pull these updates, the malware propagates throughout the organization’s infrastructure, effectively turning trusted source code into a distribution mechanism for the adversary.

Indicators of Compromise (IOCs)

Organizations are advised to monitor for the following hashes within their EDR and SIEM environments. Note: IP addresses and domains are defanged to prevent accidental execution.

Malware Family Architecture / Infrastructure SHA-256 Hash
MINIRAT ARM64 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270
MINIRAT x86_64 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d
AUDIOFIX HTTPS / ARM64 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6
AUDIOFIX Dropbox / x86_64 3e3901519c2305fbe9d5483b7234c25c6d2b562512916481d96f26b849c39fdb
Dropper Fake audio fix (apple.driver-store[.]com) 9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a
Dropper Supply Chain (89.36.224[.]5) c6ef82d2864dfd26f117a1ef560279153423f2742970a7949cec72722f0a01e

Disclaimer: Re-fang these indicators only within controlled threat intelligence environments such as MISP or VirusTotal.

Related Articles

Back to top button