JINX-0164, a sophisticated threat actor, has launched a targeted campaign against cryptocurrency firms using fake recruiter lures to deliver macOS malware. This attack specifically targets employees in the cryptocurrency sector, particularly those involved in development and operations roles, with the apparent goal of compromising systems to steal cryptocurrency assets and sensitive information.
The attack leverages social engineering through fake recruitment emails that appear to come from legitimate headhunters or cryptocurrency firms. These emails contain malicious attachments that, when opened, deploy a previously undocumented macOS malware variant designed to establish persistence, exfiltrate data, and potentially facilitate unauthorized cryptocurrency transactions.
For defenders in the cryptocurrency sector, this threat represents a significant risk to financial assets and intellectual property. The targeted nature of the campaign suggests intelligence gathering and possibly prior reconnaissance by the threat actor, making immediate defensive actions critical.
Technical Analysis
Affected Products, Versions, and Platforms
The JINX-0164 campaign primarily targets:
- macOS systems (recent versions including macOS Ventura and macOS Sonoma)
- Cryptocurrency trading platforms and wallet software
- Development environments for blockchain applications
Attack Vector and Mechanism
The attack follows a sophisticated social engineering pattern:
-
Initial Contact: Victims receive personalized recruitment emails appearing to come from legitimate cryptocurrency firms or specialized headhunters.
-
Malicious Payload: The emails contain a PDF or ZIP file that appears to be a job description or portfolio, but actually includes a malicious component.
-
Payload Delivery: When opened, the file exploits macOS Gatekeeper or User-Assisted Execution techniques to run unsigned or maliciously signed code.
-
Malware Installation: The malware establishes persistence through LaunchAgents or LaunchDaemons, often masquerading as legitimate software updates or system components.
-
Capabilities: Once installed, the malware can:
- Capture keystrokes and clipboard data (to intercept cryptocurrency wallet credentials)
- Take screenshots at regular intervals
- Establish remote command and control (C2) connections
- Download additional payloads
- Exfiltrate sensitive files and browser data
Exploitation Status
The JINX-0164 campaign represents an active, ongoing threat with confirmed exploitation in the wild. The use of social engineering combined with macOS-specific malware indicates a level of sophistication beyond typical financially motivated attacks. While no specific CVE has been assigned to this campaign, it leverages vulnerabilities in human psychology rather than technical vulnerabilities in macOS itself.
Detection & Response
SIGMA Rules
---
title: Potential JINX-0164 Recruiter Phishing Attachment Execution
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects execution of applications from downloads initiated by suspicious recruiter-themed emails
references:
- https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.initial_access
- attack.t1566.001
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: macos
detection:
selection:
Image|contains: '/Users/'
Image|contains: '/Downloads/'
Image|endswith: '.app/Contents/MacOS/'
filter:
Image|notcontains:
- '/Applications/'
- '/Library/'
condition: selection and not filter
falsepositives:
- Legitimate software installation
level: medium
---
title: Suspicious LaunchAgent Persistence Common to JINX-0164
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: experimental
description: Detects creation of suspicious LaunchAgent entries commonly used by macOS malware for persistence
references:
- https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.persistence
- attack.t1543.001
logsource:
category: file_event
product: macos
detection:
selection:
TargetFilename|contains: '/Library/LaunchAgents/'
TargetFilename|endswith: '.plist'
condition: selection
falsepositives:
- Legitimate software installations
level: medium
---
title: macOS Cryptocurrency-Related Process Injection Indicator
id: c3d4e5f6-a7b8-9012-cdef-123456789012
status: experimental
description: Detects process injection techniques often employed by macOS malware targeting cryptocurrency applications
references:
- https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.defense_evasion
- attack.t1055.003
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/inject'
ParentImage|contains:
- 'Coinbase'
- 'Binance'
- 'MetaMask'
- 'Ledger Live'
- 'Exodus'
condition: selection
falsepositives:
- Legitimate security software
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for JINX-0164 related indicators on macOS endpoints
DeviceProcessEvents
| where Timestamp > ago(30d)
| where DevicePlatform == "Mac"
| where (FolderPath contains "/Downloads/" and ProcessVersionInfoFileDescription in~ ("Application", "Installer"))
or (ProcessCommandLine contains "cryptocurrency" or ProcessCommandLine contains "blockchain")
or (FolderPath contains "LaunchAgents" and ProcessCommandLine contains "/bin/bash")
| extend FileName = split(FolderPath, "\\")[-1]
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| order by Timestamp desc
Velociraptor VQL
-- Hunt for JINX-0164 related persistence mechanisms
SELECT
OSPath.Basename,
OSPath.Path,
Mtime,
Atime,
Size,
Data.Size as DataSize
FROM glob(globs='/*/*/Library/LaunchAgents/*.plist')
WHERE OSPath.Path AND NOT OSPath.Path =~ '/Applications/'
-- Hunt for suspicious macOS processes from Downloads directory
SELECT Pid, Ppid, Name, Exe, Username, Cmdline, StartTime
FROM pslist()
WHERE Exe =~ '/Downloads/' AND Name =~ '.app'
-- Hunt for network connections to known C2 infrastructure patterns
SELECT Fd.Address, Fd.Port, Pid.Name, Pid.Username, State
FROM netstat()
WHERE Fd.Address =~ '(192.168.|10.|172.(1[6-9]|2[0-9]|3[01]).)' AND Fd.Port IN (443, 80, 8080)
AND Pid.Name NOT IN ('Chrome', 'Safari', 'Firefox', 'Edge')
Remediation Script
#!/bin/bash
# JINX-0164 macOS Malware Detection and Remediation Script
# This script checks for indicators of JINX-0164 infection and removes identified threats
# Function to log actions
log_action() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $1" >> /var/log/jinx_0164_remediation.log
}
log_action "Starting JINX-0164 detection and remediation"
# Check for suspicious LaunchAgents
log_action "Scanning for suspicious LaunchAgents"
for plist in ~/Library/LaunchAgents/*.plist /Library/LaunchAgents/*.plist; do
if [[ -f "$plist" ]]; then
# Check for suspicious entries
if grep -qi "cryptocurrency\|wallet\|blockchain\|miner" "$plist" 2>/dev/null; then
log_action "Suspicious LaunchAgent found: $plist"
echo "[WARNING] Suspicious LaunchAgent: $plist"
# Comment out the actual removal for safety, uncomment after verification
# launchctl unload "$plist" 2>/dev/null
# rm "$plist"
fi
fi
done
# Check for suspicious processes
log_action "Scanning for suspicious processes"
suspicious_procs=$(ps aux | grep -iE "Downloads/.*\.app|inject|malware" | grep -v grep)
if [[ -n "$suspicious_procs" ]]; then
log_action "Suspicious processes detected:\n$suspicious_procs"
echo "[WARNING] Suspicious processes detected:"
echo "$suspicious_procs"
fi
# Check for suspicious files in Downloads directory
log_action "Scanning Downloads directory for suspicious files"
for file in ~/Downloads/*.{app,dmg,pkg,zip}; do
if [[ -f "$file" ]]; then
# Check for unsigned applications
if [[ "$file" == *.app ]]; then
if ! codesign -dv "$file" &>/dev/null; then
log_action "Unsigned application found: $file"
echo "[WARNING] Unsigned application: $file"
fi
fi
fi
done
# Check for suspicious browser extensions
log_action "Scanning for suspicious browser extensions"
browser_dirs=(
"~/Library/Application Support/Google/Chrome/Default/Extensions"
"~/Library/Application Support/Mozilla/Firefox/Profiles"
"~/Library/Application Support/BraveSoftware/Brave-Browser/Default/Extensions"
"~/Library/Safari/Extensions"
)
for dir in "${browser_dirs[@]}"; do
if [[ -d "$dir" ]]; then
suspicious_ext=$(find "$dir" -name "manifest." -exec grep -l "cryptocurrency\|wallet\|private.*key" {} \; 2>/dev/null)
if [[ -n "$suspicious_ext" ]]; then
log_action "Suspicious browser extension found: $suspicious_ext"
echo "[WARNING] Suspicious browser extension: $suspicious_ext"
fi
fi
done
# Recommendations for remediation and hardening
log_action "Generating remediation recommendations"
echo "\n=== REMEDIATION RECOMMENDATIONS ==="
echo "1. Review and remove suspicious LaunchAgents identified above"
echo "2. Terminate any suspicious processes and investigate their origin"
echo "3. Delete or quarantine suspicious files in Downloads"
echo "4. Review and remove suspicious browser extensions"
echo "5. Update macOS to the latest version"
echo "6. Enable full disk encryption (FileVault)"
echo "7. Enable two-factor authentication for all accounts"
echo "8. Rotate all credentials, especially cryptocurrency wallet credentials"
echo "9. Review account activity on cryptocurrency platforms"
echo "10. Consider performing a full system scan with reputable macOS security software"
log_action "JINX-0164 detection and remediation complete"
Remediation
To effectively protect against the JINX-0164 campaign and mitigate the impact of potential infections, cryptocurrency firms should implement the following remediation steps:
Immediate Actions
-
User Awareness Training: Conduct immediate security awareness training focusing on:
- Identifying phishing attempts disguised as recruitment opportunities
- Verification procedures for unsolicited recruitment communications
- Proper handling of unexpected file attachments, especially from recruitment sources
-
System Scans: Perform thorough scans of all macOS systems using reputable endpoint detection and response (EDR) solutions specifically capable of detecting macOS malware.
-
Credential Rotation: Immediately rotate credentials for:
- Cryptocurrency exchange accounts
- Digital wallets
- Development environments
- VPNs and remote access systems
Technical Countermeasures
-
Email Security Implementation:
- Deploy DMARC, SPF, and DKIM to prevent email spoofing
- Implement email filtering solutions that can detect recruitment-themed phishing
- Sandbox all attachments from external sources
-
Endpoint Hardening:
- Ensure all macOS systems are updated to the latest security patches
- Enable Gatekeeper to restrict execution of unsigned applications
- Implement application whitelisting for critical systems
- Configure strong password policies and enable FileVault
-
Network Controls:
- Implement DNS filtering to block connections to known malicious domains
- Monitor and restrict outbound traffic from macOS endpoints
- Deploy network segmentation to limit lateral movement
-
Continuous Monitoring:
- Implement 24/7 SOC monitoring for macOS-specific threat indicators
- Deploy EDR solutions with behavioral analysis capabilities
- Regularly review logs for suspicious activities related to file execution and persistence mechanisms
Long-term Protective Measures
-
Security Assessment: Conduct a comprehensive security assessment of:
- macOS endpoint security posture
- Cryptocurrency storage and handling procedures
- Third-party vendor security (especially recruitment partners)
-
Incident Response Planning: Develop and test an incident response plan specifically tailored to cryptocurrency-related threats and macOS platforms.
-
Supply Chain Security: Implement security controls to verify the legitimacy of recruitment firms and other third-party services.
-
Cryptocurrency-Specific Controls:
- Implement hardware wallets for storage of significant cryptocurrency assets
- Require multi-person approval for large transactions
- Regularly audit cryptocurrency wallet addresses and transaction history
- Implement dedicated, isolated systems for cryptocurrency operations
Vendor Advisories and Resources
- Apple Security Updates: https://support.apple.com/en-us/HT201222
- CISA Advisories: https://www.cisa.gov/news-events/cybersecurity-advisories
- MITRE ATT&CK for macOS: https://attack.mitre.org/matrices/enterprise/macos/
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.