# New macOS Threat Actor JINX-0164 Targets Crypto Firms *Thursday, May 28, 2026 at 8:09 AM UTC — Hamer Intelligence Services Desk* **Published**: 2026-05-28T08:09:11.027Z (2h ago) **Category**: cyber | **Region**: Global **Importance**: 6/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/5649.md **Source**: https://hamerintel.com/summaries --- **Deck**: Since mid-2025, a newly identified threat actor dubbed JINX-0164 has been targeting cryptocurrency companies with tailored macOS malware delivered via fake LinkedIn recruiter messages. On 28 May 2026, analysts detailed its AUDIOFIX Python-based infostealer and RAT, which focuses on credentials and CI/CD systems. ## Key Takeaways - JINX-0164 is a newly designated threat actor active since mid-2025, targeting crypto firms primarily via macOS malware. - The group uses fake LinkedIn recruiter approaches and rogue domains to deliver AUDIOFIX, a Python-based infostealer and remote access trojan. - AUDIOFIX harvests credentials and focuses on compromising CI/CD systems, posing significant supply-chain risks. On 28 May 2026, cybersecurity reporting at approximately 08:01 UTC highlighted a sophisticated campaign targeting the cryptocurrency sector, attributed to a threat actor labeled JINX-0164. Active since mid-2025, this group has focused on macOS environments—less commonly targeted than Windows—using social engineering and custom malware to infiltrate organizations handling digital assets. The primary infection vector involves fake recruiter outreach via LinkedIn. Targets, often developers, DevOps engineers, or security staff within crypto exchanges and blockchain infrastructure firms, receive messages offering enticing job opportunities. Victims are then directed to rogue web domains masquerading as video conferencing platforms or driver update sites. These sites prompt the download of files that initiate the infection chain. At the core of the campaign is AUDIOFIX, a Python-based information stealer and remote access trojan (RAT). Once executed via a bash script that installs the malware under the guise of legitimate software, AUDIOFIX embeds itself into the macOS environment, using obfuscation and persistence techniques to avoid detection. It then begins harvesting stored credentials, browser data, authentication tokens, and environment variables, with a particular emphasis on accessing CI/CD pipelines and build systems. Key actors include the JINX-0164 operators—whose origin and sponsorship remain unclear—and a range of crypto industry victims from exchanges and wallet providers to blockchain infrastructure companies and potentially DeFi protocol developers. The focus on CI/CD systems indicates an interest not only in direct theft of digital assets but also in potential supply-chain compromise, where malicious code can be injected into software updates or smart contracts used by a wide user base. The significance of this campaign lies in its targeting of macOS, which many organizations and individuals still perceive as comparatively secure. By exploiting professional social networks and masquerading as legitimate recruiters, JINX-0164 leverages trust relationships and normal hiring processes to bypass technical defenses. The emphasis on CI/CD environments magnifies the risk: a single compromised build pipeline could enable large-scale theft, smart contract manipulation, or the distribution of backdoored wallet software to end users. From a broader cybersecurity perspective, JINX-0164 exemplifies how threat actors are adapting to the growing role of macOS in development and creative environments and to the concentration of high-value keys and credentials in crypto-focused organizations. The campaign also highlights the ongoing convergence of social engineering, supply-chain attacks, and financial crime targeting the digital asset ecosystem. Regulators, law enforcement, and incident response teams monitoring the crypto industry must now factor in macOS-focused APT-style threats alongside more common Windows and cloud compromises. Failure to do so risks leaving a significant portion of the attack surface under-protected. ## Outlook & Way Forward In the near term, JINX-0164 is likely to continue refining its social engineering scripts and malware tooling, potentially expanding language coverage and targeting more regions as it hunts for development and DevOps personnel with privileged access. Organizations in the cryptocurrency and broader fintech sectors should anticipate continued recruiter-themed phishing and adopt stricter verification processes for unsolicited job-related contacts. Defensively, immediate priorities include enhancing endpoint detection and response coverage on macOS devices, hardening CI/CD pipelines with strong access controls and code-signing verification, and deploying behavioral analytics to spot anomalous activity from build servers and developer workstations. Employee awareness campaigns specifically addressing LinkedIn and other professional-network phishing will be critical. Longer term, as the crypto sector matures and regulatory scrutiny increases, there will likely be stronger expectations for standardized security baselines, including supply-chain security and cross-platform endpoint protection. Threat intelligence sharing about actors like JINX-0164—covering indicators of compromise, tactics, and infrastructure—will be essential to limiting their operational window. Indicators to monitor include the discovery of AUDIOFIX variants targeting other operating systems, evidence of successful supply-chain compromises linked to this actor, and any overlaps with known state-aligned or financially motivated groups.