A new threat actor, JINX-0164, is targeting cryptocurrency firms via recruitment-themed social engineering to deliver custom macOS malware, including the Python-based infostealer/RAT AUDIOFIX and the Go-based MiniRAT backdoor. The malware steals credentials, SSH keys, and wallet data to facilitate digital asset theft and lateral movement. While tactics resemble North Korean groups, no direct attribution or infrastructure overlap has been confirmed.
Threat Intelligence New threat actor JINX-0164 targets crypto firms with macOS malware May 29, 2026 Share By SC Staff (Adobe Stock) The Hacker News reported that a new threat actor, tracked as JINX-0164, has been targeting cryptocurrency organizations with sophisticated social engineering tactics and custom macOS malware to facilitate digital asset theft. The campaign, active since mid-2025, uses recruitment-themed social engineering to lure developers into downloading a Python-based infostealer and remote access trojan named AUDIOFIX. This malware steals credentials, SSH keys, and cryptocurrency wallet information, and enables lateral movement within victim networks. The threat actor also employs MiniRAT, a Go-based backdoor previously distributed via a compromised npm package. While some tactics resemble those of North Korean threat groups, no direct infrastructure overlap has been found. The attacks leverage fake recruitment offers and masquerade as teleconference providers or system drivers to trick victims into installing the malicious payloads. The ultimate goal appears to be the theft of cryptocurrencies and sensitive developer information. Source: The Hacker News SC Staff Related Threat Intelligence North Korean hackers Kimsuky target South Korea with new malware variants SC Staff May 29, 2026 Kimsuky, also known as Velvet Chollima, utilized spoofed security software installation pages and fake Webex meeting invitations to deliver malware. Threat Management Iranian threat group targets US aviation sector with AI-assisted ‘MiniFast’ backdoor Laura French May 27, 2026 Career-themed phishing lures targeted employees of US domestic airlines during Operation Epic Fury. Threat Intelligence Iranian-backed hackers linked to Los Angeles transit system breach SC Staff May 26, 2026 The hacktivist group Ababil of Minab initially claimed responsibility for the breach, stating they had stolen and subsequently deleted data from the Los Angeles County Metropolitan Transportation Authority (LACMTA) systems. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting Black Hat DNS Spoofing Deauthentication Attack Defacement Dictionary Attack Distributed Scans Google Hacking Hybrid Attack Password Cracking You can skip this ad in 5 seconds