A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.
AI Analysis
Technical Summary
JINX-0164 is a sophisticated threat actor targeting the cryptocurrency industry's software development ecosystem. They leverage LinkedIn social engineering to deliver custom macOS malware (AUDIOFIX, a Python-based infostealer and RAT, and MINIRAT, a lightweight Go backdoor) to developer endpoints. Their goal is to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. After initial compromise, they move laterally into CI/CD pipelines, injecting malicious code into repositories to facilitate further compromise. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The actor uses VPNs to obfuscate their operations and demonstrates advanced credential harvesting techniques targeting password managers, browser extensions, and development tools.
Potential Impact
The threat actor compromises developer endpoints to steal highly sensitive credentials related to cryptocurrency wallets, cloud infrastructure, and source code repositories. This enables unauthorized access to critical infrastructure and potential manipulation of software supply chains through CI/CD pipeline compromise. The April 2026 supply chain attack on an npm package illustrates their capability to distribute malicious code widely, potentially impacting numerous downstream users. The use of advanced credential harvesting and lateral movement techniques increases the risk of prolonged undetected access and extensive damage within targeted organizations.
Mitigation Recommendations
No official patch or remediation is available as this is an active threat actor rather than a software vulnerability. Organizations should focus on strengthening endpoint security, enhancing detection of social engineering attempts, and monitoring for unusual activity in developer environments and CI/CD pipelines. Reviewing and securing npm package dependencies is critical to mitigate supply chain risks. Use of multi-factor authentication and limiting access to sensitive credentials can reduce impact. Since the threat actor uses VPNs and sophisticated evasion, behavioral monitoring and threat intelligence sharing are recommended. Patch status is not applicable; check vendor advisories and threat intelligence updates for emerging mitigations.
Indicators of Compromise
- domain: driver-updater.net
- domain: login.teamicrosoft.com
- domain: live.ong
- url: http://89.36.224.5/troubleshoot/mac/install.sh
- hash: b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17
- domain: teams.live.us.org
- domain: www.driver-updater.net
- domain: www.live.us.org
- domain: teams.retesta.live
- domain: www.drvstore.com
- domain: www.retesta.live
- domain: login.retesta.live
- domain: learn.retesta.live
- domain: driver-store.com
- domain: apple.driver-store.com
- domain: windows.driver-store.com
- domain: driver-hub.net
- domain: apple.drvstore.com
- domain: www.live.ong
- domain: www.driver-store.com
- domain: teams.live.ong
- domain: windows.drvstore.com
- domain: drvstore.com
- domain: learn.teams.us.org
- domain: learn.live.ong
- domain: www.driver-hub.net
- domain: team.live.us.org
- domain: login.live.ong
- domain: byte-io.us
- domain: cloud-sync.online
- domain: datahub.ink
- hash: 7bd3201946ef8b8a836bc2f951923adc
- hash: 860ef29773cf680ed765cb08ac3072cb
- hash: 6ca184cb838a989220254ff1914313d774e65712
- hash: db077e20e429b93d9b1187cf09869544d83dbe02
- hash: 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270
- hash: 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d
- hash: 3318c614fa7d74b71c81f0e5532cc27e
- hash: 425dbed05e53394a719c6e0986a9ce87
- hash: 5fa825564b4ede126005a88ba9efbb54
- hash: ce9da8845b153c5ba50281304b77969b
- hash: 0614fe623f6014bccae634e15e3c883a41aa89ee
- hash: 2e763321936858b8a566eaadcaf5a7ce064bbad0
- hash: d068b346169ced2ed677e1d4d75becf84829017f
- hash: e581b38c6d4e659742839f3025a2add0a7e3fe60
- hash: 0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21
- hash: 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460
- hash: 3e3901519c2305fbe9d5483b7234c25c6d2b562512916481d96f26b849c39fdb
- hash: 402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c
- hash: 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6
- hash: 9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a
- hash: a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b
- hash: c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e
- hash: d4e863f9818bfb2f1dd932df6441dff204e6142c3bdb55b298cb08dc7b6a0c62
- hash: e8ee6f5145c9d503c5130bfc6585567f6e19d409158c3c0ca0b259f1875b15f4
- ip: 185.100.85.250
- ip: 185.100.85.98
- url: http://alibaba.xyz/minirat
- url: https://apple.driver-store.com/mac/arm/driver/coreaudiod
- url: https://apple.driver-store.com/mac/intel/driver/coreaudiod
- url: https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh
- url: https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac
- url: https://www.iru.com/blog/minirat
- domain: alibaba.xyz
- domain: bitget-meeting.com
- domain: driver-update.io
- domain: live.org.mx
- domain: slktest.live
- domain: teamicrosoft.com
- domain: teams.cam
- domain: us03-slack.online
- domain: app.us03-slack.online
- domain: apple.driver-hub.net
- domain: apple.driver-update.io
- domain: learn.bitget-meeting.com
- domain: learn.teamicrosoft.com
- domain: learn.teams.cam
- domain: live.teams.cam
- domain: login.bitget-meeting.com
- domain: login.teams.cam
- domain: my-home-company-group.slktest.live
- domain: my-home-company-group.us03-slack.online
- domain: resource.bitget-meeting.com
- domain: resource.teamicrosoft.com
- domain: sitemaps.driver-store.com
- domain: teams.live.org.mx
- domain: windows.driver-hub.net
- domain: windows.driver-update.io
- domain: www.bitget-meeting.com
- domain: www.driver-update.io
- domain: www.slktest.live
- domain: www.teamicrosoft.com
- domain: www.teams.cam
- domain: www.us03-slack.online
A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
Description
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
JINX-0164 is a sophisticated threat actor targeting the cryptocurrency industry's software development ecosystem. They leverage LinkedIn social engineering to deliver custom macOS malware (AUDIOFIX, a Python-based infostealer and RAT, and MINIRAT, a lightweight Go backdoor) to developer endpoints. Their goal is to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. After initial compromise, they move laterally into CI/CD pipelines, injecting malicious code into repositories to facilitate further compromise. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The actor uses VPNs to obfuscate their operations and demonstrates advanced credential harvesting techniques targeting password managers, browser extensions, and development tools.
Potential Impact
The threat actor compromises developer endpoints to steal highly sensitive credentials related to cryptocurrency wallets, cloud infrastructure, and source code repositories. This enables unauthorized access to critical infrastructure and potential manipulation of software supply chains through CI/CD pipeline compromise. The April 2026 supply chain attack on an npm package illustrates their capability to distribute malicious code widely, potentially impacting numerous downstream users. The use of advanced credential harvesting and lateral movement techniques increases the risk of prolonged undetected access and extensive damage within targeted organizations.
Mitigation Recommendations
No official patch or remediation is available as this is an active threat actor rather than a software vulnerability. Organizations should focus on strengthening endpoint security, enhancing detection of social engineering attempts, and monitoring for unusual activity in developer environments and CI/CD pipelines. Reviewing and securing npm package dependencies is critical to mitigate supply chain risks. Use of multi-factor authentication and limiting access to sensitive credentials can reduce impact. Since the threat actor uses VPNs and sophisticated evasion, behavioral monitoring and threat intelligence sharing are recommended. Patch status is not applicable; check vendor advisories and threat intelligence updates for emerging mitigations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.wiz.io/blog/threat-actors-target-crypto-orgs"]
- Adversary
- JINX-0164
- Pulse Id
- 6a181e409d755171f4ac356c
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaindriver-updater.net | — | |
domainlogin.teamicrosoft.com | — | |
domainlive.ong | — | |
domainteams.live.us.org | — | |
domainwww.driver-updater.net | — | |
domainwww.live.us.org | — | |
domainteams.retesta.live | — | |
domainwww.drvstore.com | — | |
domainwww.retesta.live | — | |
domainlogin.retesta.live | — | |
domainlearn.retesta.live | — | |
domaindriver-store.com | — | |
domainapple.driver-store.com | — | |
domainwindows.driver-store.com | — | |
domaindriver-hub.net | — | |
domainapple.drvstore.com | — | |
domainwww.live.ong | — | |
domainwww.driver-store.com | — | |
domainteams.live.ong | — | |
domainwindows.drvstore.com | — | |
domaindrvstore.com | — | |
domainlearn.teams.us.org | — | |
domainlearn.live.ong | — | |
domainwww.driver-hub.net | — | |
domainteam.live.us.org | — | |
domainlogin.live.ong | — | |
domainbyte-io.us | — | |
domaincloud-sync.online | — | |
domaindatahub.ink | — | |
domainalibaba.xyz | — | |
domainbitget-meeting.com | — | |
domaindriver-update.io | — | |
domainlive.org.mx | — | |
domainslktest.live | — | |
domainteamicrosoft.com | — | |
domainteams.cam | — | |
domainus03-slack.online | — | |
domainapp.us03-slack.online | — | |
domainapple.driver-hub.net | — | |
domainapple.driver-update.io | — | |
domainlearn.bitget-meeting.com | — | |
domainlearn.teamicrosoft.com | — | |
domainlearn.teams.cam | — | |
domainlive.teams.cam | — | |
domainlogin.bitget-meeting.com | — | |
domainlogin.teams.cam | — | |
domainmy-home-company-group.slktest.live | — | |
domainmy-home-company-group.us03-slack.online | — | |
domainresource.bitget-meeting.com | — | |
domainresource.teamicrosoft.com | — | |
domainsitemaps.driver-store.com | — | |
domainteams.live.org.mx | — | |
domainwindows.driver-hub.net | — | |
domainwindows.driver-update.io | — | |
domainwww.bitget-meeting.com | — | |
domainwww.driver-update.io | — | |
domainwww.slktest.live | — | |
domainwww.teamicrosoft.com | — | |
domainwww.teams.cam | — | |
domainwww.us03-slack.online | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://89.36.224.5/troubleshoot/mac/install.sh | — | |
urlhttp://alibaba.xyz/minirat | — | |
urlhttps://apple.driver-store.com/mac/arm/driver/coreaudiod | — | |
urlhttps://apple.driver-store.com/mac/intel/driver/coreaudiod | — | |
urlhttps://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh | — | |
urlhttps://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac | — | |
urlhttps://www.iru.com/blog/minirat | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashb6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17 | — | |
hash7bd3201946ef8b8a836bc2f951923adc | — | |
hash860ef29773cf680ed765cb08ac3072cb | — | |
hash6ca184cb838a989220254ff1914313d774e65712 | — | |
hashdb077e20e429b93d9b1187cf09869544d83dbe02 | — | |
hash0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 | — | |
hash0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d | — | |
hash3318c614fa7d74b71c81f0e5532cc27e | — | |
hash425dbed05e53394a719c6e0986a9ce87 | — | |
hash5fa825564b4ede126005a88ba9efbb54 | — | |
hashce9da8845b153c5ba50281304b77969b | — | |
hash0614fe623f6014bccae634e15e3c883a41aa89ee | — | |
hash2e763321936858b8a566eaadcaf5a7ce064bbad0 | — | |
hashd068b346169ced2ed677e1d4d75becf84829017f | — | |
hashe581b38c6d4e659742839f3025a2add0a7e3fe60 | — | |
hash0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21 | — | |
hash2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460 | — | |
hash3e3901519c2305fbe9d5483b7234c25c6d2b562512916481d96f26b849c39fdb | — | |
hash402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c | — | |
hash65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6 | — | |
hash9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a | — | |
hasha35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b | — | |
hashc6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e | — | |
hashd4e863f9818bfb2f1dd932df6441dff204e6142c3bdb55b298cb08dc7b6a0c62 | — | |
hashe8ee6f5145c9d503c5130bfc6585567f6e19d409158c3c0ca0b259f1875b15f4 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip185.100.85.250 | — | |
ip185.100.85.98 | — |
Threat ID: 6a185ccae29bf47b5004426e
Added to database: 5/28/2026, 3:18:34 PM
Last enriched: 5/28/2026, 3:33:36 PM
Last updated: 5/29/2026, 6:52:18 PM
Views: 26
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.