2 malware families

JINX-0164

Also known asJINX-0164

JINX-0164 is a previously unreported, financially motivated threat actor tracked by Wiz, active since at least mid-2025. The actor targets cryptocurrency organizations, particularly software developers and development infrastructure, with the apparent objective of digital asset theft and theft of sensitive developer information. The group relies heavily on recruitment-themed social engineering, including credible fake LinkedIn recruiter or business-contact personas and fake virtual meeting invitations. Victims are directed to spoofed teleconferencing or driver-update domains and tricked into downloading malicious scripts or fixes. JINX-0164 uses custom macOS malware, primarily AUDIOFIX and MINIRAT. AUDIOFIX is described as a compiled Python-based macOS infostealer and backdoor/RAT that harvests Keychain data, browser credentials and history, local admin credentials, SSH keys, configuration files, console history, cloud and developer secrets, cryptocurrency wallet data, and active sessions from platforms including Slack, Discord, and Telegram. It also supports command execution, payload retrieval, reconnaissance, exfiltration, and persistence via launchctl/LaunchAgents. MINIRAT is a lightweight Go-based backdoor linked to the same infrastructure as AUDIOFIX. JINX-0164 focuses less on broad cloud-resource abuse and more on compromising internal code repositories, CI/CD systems, and enterprise deployment pipelines. Reported activity includes stealing GitHub tokens and CI/CD secrets, using the nord-stream tool to exfiltrate secrets, injecting malicious payloads into internal repositories, pushing malicious code to main branches when protections were absent, hijacking existing branches, and modifying Git committer names and email fields to impersonate legitimate developers. In at least one case, the actor conducted a software supply chain attack by trojanizing npm package @velora-dex/sdk version 4.9.1 to deliver MINIRAT; reporting indicates the GitHub source code was unchanged, suggesting compromise of npm credentials only. Known aliases and names directly mentioned in the content are limited to JINX-0164 / jinx_0164. Some reporting noted similarities to North Korean developer-targeting and cryptocurrency-focused tradecraft, including comparisons to BlueNoroff, Contagious Interview, and UNC1069, but the content explicitly states there was no infrastructure overlap and insufficient evidence for attribution to DPRK or another state actor.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Financial Services

MITRE ATT&CK

Tradecraft

39 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics61 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.001

Domains

TA0001

Initial Access

4 techniques

T1078×2

Valid Accounts

T1189

Drive-by Compromise

T1195×3

Supply Chain Compromise

T1195.001×4

Compromise Software Dependencies and Development Tools

T1566

Phishing

T1566.002×2

Spearphishing Link

T1566.003×4

Spearphishing via Service

TA0002

Execution

3 techniques

T1059×3

Command and Scripting Interpreter

T1059.004×3

Unix Shell

T1059.006×2

Python

T1204×3

User Execution

T1574

Hijack Execution Flow

TA0003

Persistence

5 techniques

T1078×2

Valid Accounts

T1098

Account Manipulation

T1098.004

SSH Authorized Keys

T1543

Create or Modify System Process

T1543.001

Launch Agent

T1547

Boot or Logon Autostart Execution

T1547.015

T1556

Modify Authentication Process

TA0004

Privilege Escalation

5 techniques

T1078×2

Valid Accounts

T1098

Account Manipulation

T1098.004

SSH Authorized Keys

T1543

Create or Modify System Process

T1543.001

Launch Agent

T1547

Boot or Logon Autostart Execution

T1547.015

T1548

Abuse Elevation Control Mechanism

TA0005

Stealth

5 techniques

T1036×5

Masquerading

T1070

Indicator Removal

T1078×2

Valid Accounts

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1574

Hijack Execution Flow

TA0112

Defense Impairment

1 technique

T1556

Modify Authentication Process

TA0006

Credential Access

6 techniques

T1056

Input Capture

T1056.001

Keylogging

T1528×2

Steal Application Access Token

T1552

Unsecured Credentials

T1552.001

Credentials In Files

T1555×4

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

T1555.006

Cloud Secrets Management Stores

T1556

Modify Authentication Process

T1649×4

Steal or Forge Authentication Certificates

TA0007

Discovery

2 techniques

T1083

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0008

Lateral Movement

1 technique

T1570

Lateral Tool Transfer

TA0009

Collection

2 techniques

T1056

Input Capture

T1056.001

Keylogging

T1115×2

Clipboard Data

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1071.001×3

Web Protocols

T1090

Proxy

T1090.002×2

External Proxy

T1105×3

Ingress Tool Transfer

T1219

Remote Access Tools

TA0010

Exfiltration

1 technique

T1041×3

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

AUDIOFIXThe primary utility is AUDIOFIX, which functions as a compiled Python information stealer . This malicious application actively harvests sensitive credentials from local password storage vaults .5Jun 3, 2026

MiniRATThey modified the package initialization scripts to download a backdoor named MINIRAT automatically .5Jun 3, 2026

IOCS

Observables

91 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

91 IOCsView more in app

Domains

55 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+47

hash.sha256

24 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+16

ip.v4

9 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+1

uri

3 total

•••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security online infoNews

Jun 3, 2026

macOS Cryptocurrency Malware Sparks JINX-0164 Threat

A financially motivated cluster conducting targeted social-engineering attacks against software developers at financial firms, delivering macOS malware to steal credentials and compromise enterprise deployment pipelines, including npm supply-chain abuse.

scworldNews

May 29, 2026

New threat actor JINX-0164 targets crypto firms with macOS malware | brief | SC Media

Targets cryptocurrency organizations using recruitment-themed social engineering and custom malware to steal digital assets and sensitive developer information.

cyber security newsNews

May 29, 2026

JINX-0164 Threat Actor Using LinkedIn Social Engineering to Deploy Custom macOS Malware

Financially motivated attacks against cryptocurrency organizations using LinkedIn social engineering, fake meeting pages, macOS malware, credential theft, developer impersonation, CI/CD secret theft, and software supply chain compromise via a trojanized npm package.

the hacker newsNews

May 28, 2026

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware

Financially motivated threat actor targeting cryptocurrency organizations and software developers to steal digital assets. It uses recruiter impersonation, fake meeting platforms, macOS malware, lateral movement into CI/CD and development infrastructure, and supply chain compromise of software packages.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping39

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables91

Domains, IPs, and hashes tied to this actor, refreshed continuously.