JINX-0164 Cryptocurrency Malware: AUDIOFIX Wallet Theft (2026)

2026-05-28 Decryption Digest

https://www.decryptiondigest.com/blog/jinx-0164-audiofix-cryptocurrency-macos-malware

Thumbnail for JINX-0164 Cryptocurrency Malware: AUDIOFIX Wallet Theft (2026)

JINX-0164 is reported as a North Korea-linked financially motivated cluster targeting cryptocurrency firms and developers through fake LinkedIn recruiter lures, spoofed meeting sites, and macOS malware. AUDIOFIX steals wallet extension data, desktop wallet credentials, browser credentials, SSH keys, cloud tokens, collaboration tokens, Telegram data, and clipboard history, then exfiltrates them to operator C2 infrastructure. The group also compromised `@velora-dex/sdk` version 4.9.1 to install the Go-based MiniRAT backdoor in developer and CI/CD environments. Wiz assessed the activity as behaviorally consistent with North Korean cryptocurrency-theft operations, while noting no confirmed infrastructure overlap with previously tracked DPRK clusters.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 185.175.59.85 2026-05-27 2026-05-28
IPv4 185.100.85.250 2026-05-27 2026-05-28
IPv4 89.36.224.5 2026-05-27 2026-05-28
DOMAIN live.ong 2026-05-27 2026-05-28
DOMAIN teams.live.us.org 2026-05-27 2026-05-28
DOMAIN bitget-meeting.com 2026-05-27 2026-05-28
DOMAIN byte-io.us 2026-05-27 2026-05-28
DOMAIN cloud-sync.online 2026-05-27 2026-05-28
IPv4 208.115.220.17 2026-05-27 2026-05-28
DOMAIN datahub.ink 2026-05-27 2026-05-28
IPv4 84.32.83.250 2026-05-27 2026-05-28
IPv4 45.45.217.242 2026-05-27 2026-05-28
IPv4 153.92.126.84 2026-05-27 2026-05-28
DOMAIN apple.driver-update.io 2026-05-27 2026-05-28
DOMAIN driver-updater.net 2026-05-27 2026-05-28
DOMAIN apple.driver-store.com 2026-05-27 2026-05-28
HASH 65cba741fe30fa4799fb9002ea8de6d… 2026-05-27 2026-05-28

Related Actors

Related Reports

« Back