Back to Intelligence

Woodgnat Access Broker & JINX-0164 macOS Campaigns: Mistic, ModeloRAT, AUDIOFIX — OTX Detection Pack

SA
Security Arsenal Team
June 29, 2026
6 min read

Threat Summary

Current OTX pulse data indicates a surge in sophisticated intrusion activity spanning financially motivated ransomware access brokering, cryptocurrency-focused supply chain attacks, and state-sponsored espionage.

The Woodgnat threat actor is actively peddling access to Insurance, Education, and Technology sectors using the stealthy Mistic backdoor and ModeloRAT, likely serving as a precursor for Qilin and Black Basta ransomware deployments. Simultaneously, JINX-0164 is targeting cryptocurrency developers via LinkedIn social engineering and malicious npm packages, deploying the AUDIOFIX Python RAT on macOS. Separately, the North Korean Kimsuky APT group continues to evolve its KimJongRAT infrastructure, abusing GitHub Releases to distribute payloads.

Collectively, these campaigns highlight a dangerous trend: the commoditization of initial access (Woodgnat), the targeting of the software supply chain (JINX-0164), and the abuse of trusted developer platforms (Kimsuky).

Threat Actor / Malware Profile

1. Woodgnat (Initial Access Broker)

  • Malware Families: Mistic (Backdoor), ModeloRAT, MintsLoader, GateKeeper.
  • Distribution: Social engineering and DLL sideloading techniques.
  • Behavior: Mistic acts as a stealthy backdoor providing remote access. Woodgnat often deploys it alongside ModeloRAT to maintain persistence and gather intelligence before handing over access to ransomware affiliates (e.g., Qilin, Akira).
  • Persistence: Likely utilizes registry run keys or scheduled tasks set up by the loaders.

2. JINX-0164 (Crypto-Threat Actor)

  • Malware Families: AUDIOFIX (Python Infostealer/RAT), MINIRAT (Go Backdoor).
  • Distribution: LinkedIn phishing (recruiter personas), trojanized npm packages, and CI/CD hijacking.
  • Behavior: AUDIOFIX targets macOS to steal credentials and system info. The actor specifically focuses on cryptocurrency organizations and developers to bypass traditional Windows-heavy defenses.
  • C2 Communication: Connects to domains mimicking legitimate software updates (e.g., driver-updater.net).

3. Kimsuky (APT37 / Reaper)

  • Malware Families: KimJongRAT, MeshAgent.
  • Distribution: Phishing emails with shortened URLs pointing to GitHub Releases hosting malicious ZIP files.
  • Behavior: KimJongRAT combines info-stealing and remote access capabilities. MeshAgent provides remote control.
  • Infrastructure: Uses compromised domains and cloud hosting (e.g., servequake.com) for C2.

IOC Analysis

The provided IOCs represent a mix of infrastructure and payload artifacts:

  • Domains & Hostnames: A significant number of C2 domains (grande-luna.top, human-check.top, driver-updater.net, corpsecs.com). SOC teams should immediately block these at the perimeter and DNS layers.
  • File Hashes (SHA256): Payload hashes for Mistic, AUDIOFIX, and KimJongRAT. These should be added to EDR allowlist/blocking policies.
  • URLs: Installation scripts (install.sh) and C2 check-in endpoints (agent.ashx). These are critical for creating network-based signatures.

Operational Guidance:

  1. EDR: Hunt for the specific SHA256 hashes.
  2. SIEM: Correlate DNS requests for the listed domains with process execution events.
  3. Network: Decrypt and inspect SSL traffic to these domains; many use valid certificates, necessitating SSL inspection.

Detection Engineering

Sigma Rules

YAML
title: Potential Woodgnat Mistic Backdoor Sideloading Activity
id: 488f2834-5f7c-4a2b-9e1d-8c3a4b5d6e7f
description: Detects suspicious child processes spawned by common Microsoft Office applications or signed binaries that may indicate DLL sideloading used by Woodgnat to deploy Mistic.
status: experimental
date: 2026/06/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667d7b8f8c4a4f6c8d9e0a1b
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.EXE'
            - '\rundll32.exe'
    selection_child:
        Image|endswith:
            - '.dll'
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - '/C'
            - '-enc'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate macro usage
level: high
tags:
    - attack.persistence
    - attack.t1574.002
    - attack.initial_access
    - woodgnat
    - mistic
---
title: JINX-0164 AUDIOFIX MacOS Network Connection
id: 11223344-5566-7788-99aa-bbccddeeff00
description: Detects outbound network connections from macOS endpoints to known JINX-0164 C2 infrastructure used by AUDIOFIX or MINIRAT.
status: experimental
date: 2026/06/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667f9a2b1c2d3e4f5a6b7c8d
logsource:
    category: network_connection
    product: macos
detection:
    selection:
        DestinationHostname|contains:
            - 'driver-updater.net'
            - 'live.us.org'
            - 'teamicrosoft.com' # Typosquatting
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.c2
    - attack.command_and_control
    - attack.t1071.001
    - jinx-0164
    - audiofix
---
title: Kimsuky KimJongRAT GitHub Abuse and C2 Traffic
id: aabbccdd-1122-3344-5566-77889900aabb
description: Detects processes contacting Kimsuky C2 infrastructure or downloading artifacts from suspicious GitHub-like URLs associated with KimJongRAT.
status: experimental
date: 2026/06/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667e8c9d0e1f2a3b4c5d6e7f
logsource:
    category: network_connection
    product: windows
detection:
    selection_domains:
        DestinationHostname|endswith:
            - 'servequake.com'
            - 'corpsecs.com'
    selection_uri:
        RequestUrl|contains:
            - 'agent.ashx'
            - 'releases/download'
            - '.zip'
    condition: 1 of selection*
falsepositives:
    - Legitimate GitHub usage (verify specific URLs)
level: high
tags:
    - attack.command_and_control
    - attack.t1102
    - kimsuky
    - kimjongrat

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to specific C2 domains and IOCs from the pulses
let IOCs = dynamic([
    "grande-luna.top", "human-check.top", "mueleer.com", "thomphon.com", 
    "driver-updater.net", "live.us.org", "teamicrosoft.com", 
    "servequake.com", "corpsecs.com"
]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemotePort == 8443
| extend ThreatIntel = case(
    RemoteUrl has_any ("grande-luna", "human-check", "mueleer", "thomphon"), "Woodgnat/Mistic",
    RemoteUrl has_any ("driver-updater", "live.us.org", "teamicrosoft"), "JINX-0164/AUDIOFIX",
    RemoteUrl has_any ("servequake", "corpsecs"), "Kimsuky/KimJongRAT",
    "Unknown"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ThreatIntel
| sort by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunter for Woodgnat, JINX-0164, and Kimsuky Indicators
# Requires Admin Privileges

$IOC_Hashes = @(
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "b6cab0b3aa8e5624247f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470",
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"
)

$IOC_Domains = @(
    "grande-luna.top", "human-check.top", "mueleer.com", 
    "driver-updater.net", "live.us.org", 
    "servequake.com", "corpsecs.com"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
foreach ($hash in $IOC_Hashes) {
    $paths = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash -eq $hash }
    
    if ($paths) {
        Write-Host "[!] MALICIOUS FILE FOUND: " -NoNewline -ForegroundColor Red
        $paths.FullName | ForEach-Object { Write-Host $_ }
    }
}

Write-Host "[+] Checking DNS Cache for C2 domains..." -ForegroundColor Cyan
$dnsEntries = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $IOC_Domains) {
    $matches = $dnsEntries | Where-Object { $_.Entry -like "*$domain*" }
    if ($matches) {
        Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND: $domain" -ForegroundColor Red
        $matches | Format-Table Entry, Data, Type
    }
}

Write-Host "[+] Checking Hosts file..." -ForegroundColor Cyan
$hostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $hostsPath) {
    $hostsContent = Get-Content $hostsPath
    foreach ($domain in $IOC_Domains) {
        if ($hostsContent -match $domain) {
            Write-Host "[!] SUSPICIOUS HOSTS FILE ENTRY: $domain detected in $hostsPath" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate (0-4h): Block all listed domains and IPs at the firewall and proxy. Block the specific file hashes via EDR policies. Isolate any endpoints with confirmed hits on the SHA256 indicators.
  • 24h: Conduct a credential audit for users in targeted sectors (Insurance, Tech, Crypto) who may have been exposed to the Woodgnat or JINX-0164 phishing campaigns. Force password resets and enable MFA if not already active.
  • 1 Week: Review LinkedIn messaging policies and implement training regarding "recruiter" social engineering (JINX-0164). Audit software development pipelines for unauthorized npm packages or GitHub integrations (Kimsuky/JINX vector). Restrict the use of personal GitHub repositories in corporate build pipelines.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptwoodgnatmodelorataudiofixkimsukykimjongrat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action