Skip to content

JINX-0164 Targets Crypto Developers via Fake LinkedIn Job Interviews

Bottom line: The JINX-0164 group compromises crypto developers through fake LinkedIn job interviews to deploy the Python malware AUDIOFIX, which steals passwords, SSH keys, and cryptocurrency wallet data.

The threat group JINX-0164 systematically infiltrates developers of crypto platforms with the macOS malware AUDIOFIX by impersonating recruiters on LinkedIn and requesting downloads of alleged meeting software. The attacks target software developers to penetrate the supply chain through their privileged access.

Security researchers at Wiz (Alphabet Group) have documented a previously unknown financially motivated threat group designated JINX-0164, whose activities can be traced back at least to mid-2025. The primary objective is the theft of digital assets through infiltration of development environments. In at least one case, JINX-0164 successfully attacked the software supply chain by compromising developers with privileged access to central code distribution systems.

The infiltration occurs through a multi-stage social engineering chain on LinkedIn. JINX-0164 creates deceptively authentic recruiter profiles and offers seemingly lucrative positions to programmers at crypto companies. During the supposed job interview, a link directs to an attacker-controlled fake domain (not to established video conferencing platforms). When opened, a forged error message appears requesting the user to download a driver update or specialized conferencing software. The downloaded bash script is hosted from the domain apple.driver-store.com and downloads a platform-specific payload compatible with both Intel processors and Apple Silicon chips.

The executed malware AUDIOFIX is an information stealer and remote access trojan written in Python. It masquerades as a legitimate system audio driver (coreaudiod) but is registered under the name ChromeUpdater and launched via launchctl. AUDIOFIX extracts stored passwords from web browsers, accesses iCloud Keychain files, reads password manager credentials, and collects SSH keys, local administrator credentials, and command history.

A particular focus lies on crypto infrastructure: AUDIOFIX specifically searches for cryptocurrency browser extensions and extracts private keys and wallet addresses. The malware also hijacks browser cookies and attempts to access local file storage.


Source: www.it-daily.net · Published June 2, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.2.9.

Share on: