JINX-0164 Cryptocurrency Malware: AUDIOFIX Wallet Theft (2026)
2026-05-28 • Decryption Digest •
https://www.decryptiondigest.com/blog/jinx-0164-audiofix-cryptocurrency-macos-malware
JINX-0164 is reported as a North Korea-linked financially motivated cluster targeting cryptocurrency firms and developers through fake LinkedIn recruiter lures, spoofed meeting sites, and macOS malware. AUDIOFIX steals wallet extension data, desktop wallet credentials, browser credentials, SSH keys, cloud tokens, collaboration tokens, Telegram data, and clipboard history, then exfiltrates them to operator C2 infrastructure. The group also compromised `@velora-dex/sdk` version 4.9.1 to install the Go-based MiniRAT backdoor in developer and CI/CD environments. Wiz assessed the activity as behaviorally consistent with North Korean cryptocurrency-theft operations, while noting no confirmed infrastructure overlap with previously tracked DPRK clusters.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 185.175.59.85 | 2026-05-27 | 2026-05-28 |
| IPv4 | 185.100.85.250 | 2026-05-27 | 2026-05-28 |
| IPv4 | 89.36.224.5 | 2026-05-27 | 2026-05-28 |
| DOMAIN | live.ong | 2026-05-27 | 2026-05-28 |
| DOMAIN | teams.live.us.org | 2026-05-27 | 2026-05-28 |
| DOMAIN | bitget-meeting.com | 2026-05-27 | 2026-05-28 |
| DOMAIN | byte-io.us | 2026-05-27 | 2026-05-28 |
| DOMAIN | cloud-sync.online | 2026-05-27 | 2026-05-28 |
| IPv4 | 208.115.220.17 | 2026-05-27 | 2026-05-28 |
| DOMAIN | datahub.ink | 2026-05-27 | 2026-05-28 |
| IPv4 | 84.32.83.250 | 2026-05-27 | 2026-05-28 |
| IPv4 | 45.45.217.242 | 2026-05-27 | 2026-05-28 |
| IPv4 | 153.92.126.84 | 2026-05-27 | 2026-05-28 |
| DOMAIN | apple.driver-update.io | 2026-05-27 | 2026-05-28 |
| DOMAIN | driver-updater.net | 2026-05-27 | 2026-05-28 |
| DOMAIN | apple.driver-store.com | 2026-05-27 | 2026-05-28 |
| HASH | 65cba741fe30fa4799fb9002ea8de6d… | 2026-05-27 | 2026-05-28 |