How the Attack Works
A financially motivated threat group tracked as JINX-0164 has been targeting cryptocurrency companies since at least mid-2025 using recruitment themed social engineering. Attackers create credible LinkedIn profiles to approach employees at these firms, then invite them to a virtual meeting. The meeting link directs victims to a fake teleconference domain that prompts them to download a malicious file disguised as a meeting client.
Once executed, the download triggers a bash script that retrieves a custom Python based infostealer and remote access trojan named AUDIOFIX. The malware masquerades as a system audio driver called coreaudiod but is saved as ChromeUpdater. It works on both Intel and Apple Silicon Macs and is launched through the system’s launchctl service to maintain persistence.
Impact and Scope
After compromising an employee’s laptop, AUDIOFIX steals sensitive data including cryptocurrency wallet credentials and session tokens. The malware then moves laterally through the victim’s organization to access internal code distribution systems and development infrastructure. In at least one documented case, the attacker achieved a supply chain compromise by injecting malicious code into software builds.
Researchers from Wiz, who discovered the campaign, noted the group’s deep understanding of CI/CD pipelines allowed them to modify source code within build systems. The end goal is theft of digital assets rather than espionage or ransom. The activity underscores how recruitment lures combined with macOS specific malware can bypass traditional endpoint defenses in crypto focused companies.
Source: The Hacker News
