**Wiz** researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read revealed the new campaign, stating, "These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure. The used methods enabled the threat actor to move laterally from compromised employee laptops to code distribution systems and development infrastructure." ### Recruitment-Themed Social Engineering **JINX-0164**, active since at least mid-2025, approaches victims through credible **LinkedIn** profiles, offering virtual meetings. These meetings are designed to redirect targets to rogue domains mimicking teleconference providers. Victims are then tricked into downloading a malicious file disguised as a meeting client. This triggers the retrieval of **AUDIOFIX**, a Python-based macOS infostealer and remote access trojan, via a bash script hosted on a fake driver store domain ("apple.driver-store[.]com"). "The [bash] script downloaded an architecture-aware payload from the same domain, compatible with both Intel and Apple Silicon systems. The payload masquerades as a system audio driver named coreaudiod, was saved as ChromeUpdater, and was executed via launchctl," **Wiz** explained.  ### AUDIOFIX Malware Details **AUDIOFIX** steals sensitive data, facilitates lateral movement, and modifies source code to compromise other endpoints and steal cryptocurrency wallet credentials. The malware targets credentials from password managers, web browsers, and **iCloud Keychain** files, as well as local admin credentials, SSH keys, configuration files, and cryptocurrency wallet addresses.  In addition to data theft, **AUDIOFIX** supports commands for reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval. ### MiniRAT Backdoor **JINX-0164** also utilizes **MiniRAT**, a Go-based backdoor previously distributed through a compromised version of the `@velora-dex/sdk` **npm** package, a legitimate DeFi toolkit used on the **VeloraDEX** decentralized exchange platform. This supply chain attack involved downloading a shell script that delivered a macOS-specific binary, **MiniRAT**, capable of uploading files, running shell commands, and fetching additional payloads. ### Potential North Korean Connection? The campaign's tactics, coupled with the use of **Astrill VPN** and the focus on cryptocurrency and developers, share similarities with North Korean threat actors like **BlueNoroff**, **Contagious Interview**, and **UNC1069**. However, **Wiz** has found no infrastructure overlaps connecting **JINX-0164** to Pyongyang at this time. "Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups," **Wiz** concluded.