JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
What’s new: A new threat actor, tracked as JINX-0164, is targeting cryptocurrency firms using recruitment-themed social engineering tactics and custom macOS malware. The campaign, active since mid-2025, involves the use of fake LinkedIn profiles to lure victims into downloading malicious files disguised as meeting clients, which then deploy a Python-based infostealer and remote access trojan named AUDIOFIX. This malware facilitates lateral movement within compromised networks, targeting CI/CD infrastructure and stealing sensitive data, including cryptocurrency wallet credentials.
Who’s affected
Cryptocurrency organizations and their developers are the primary targets of the JINX-0164 campaign. The threat actor employs sophisticated social engineering techniques to compromise employee laptops and access internal development systems.
What to do
- Implement strict verification processes for recruitment communications, especially those involving virtual meetings.
- Educate employees about the risks of downloading software from unverified sources.
- Monitor for unusual activity within CI/CD pipelines and development infrastructure.
- Utilize endpoint protection solutions that can detect and block macOS malware.
- Regularly update and patch systems to mitigate vulnerabilities that could be exploited by malware.
