A threat actor tracked as JINX-0164 targets cryptocurrency organizations with recruitment-themed social engineering and bespoke macOS malware. The activity is assessed to have been ongoing since mid-2025 and is motivated by financial gain. The actor uses credible LinkedIn profiles to approach victims and offer a virtual meeting, which leads to a rogue domain masquerading as a teleconference provider. Victims are tricked into downloading and installing a program that triggers a bash script hosted on a fake driver store domain. The script retrieves an architecture-aware payload compatible with Intel and Apple Silicon, masquerading as a system audio driver named coreaudiod, saved as ChromeUpdater, and executed via launchctl. Python malware then steals sensitive data and enables lateral movement toward code distribution and development infrastructure, including at least one supply chain attack.
"These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure. The used methods enabled the threat actor to move laterally from compromised employee laptops to code distribution systems and development infrastructure."
"The threat actor is assessed to be active since at least mid-2025 and motivated by financial gain, targeting developers through recruitment-themed and other social engineering techniques to siphon cryptocurrencies. In at least one case, the adversary is said to have carried out a supply chain attack."
"JINX-0164 has been found to leverage credible LinkedIn profiles to approach victims and offer a virtual meeting. The meeting invite is designed to steer the target to a rogue domain that masquerades as a teleconference provider. From there, victims are tricked into downloading and installing the program."
"The [bash] script downloaded an architecture-aware payload from the same domain, compatible with both Intel and Apple Silicon systems. The payload masquerades as a system audio driver named coreaudiod, was saved as ChromeUpdater, and was executed via launchctl. The Python malware is then leveraged to steal sensitive data from the compromised endpoint."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]