HOMETHREATSJINX-0164
APT / THREAT GROUP💰 FINANCIALHIGH

JINX-0164

🇰🇵North Korea-attributed
1
aliases
Last seen:Jun 5, 2026

Intelligence Profile

JINX-0164 is a financially motivated threat actor active since mid-2025, primarily targeting software developers through recruitment-themed social engineering to steal cryptocurrencies and conduct supply chain attacks. Their operations have focused on macOS devices, utilizing malware such as AUDIOFIX and MINIRAT, with a notable supply chain compromise involving the trojanization of an npm package. The actor employs a shell script for initial system profiling and payload delivery, often spoofing legitimate services like Microsoft Teams and cryptocurrency companies. JINX-0164's infrastructure includes numerous lookalike domains and utilizes VPN exit nodes for accessing victim systems.

Threat Analysis

JINX-0164 is a high-sophistication threat actor attributed to North Korea, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like JINX-0164 prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, JINX-0164 is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Intelligence Reports Mentioning JINX-0164

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇰🇵 North Korea
Aliases1
SourceMalpedia

Also Known As

JINX-0164

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.