← feed

wiz.2026.jinx-0164-audiofix-fake-driver-macos

JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.

confirmed IIM v1.1 JINX-0164
Raw JSON
entities16
relations16
techniques3
published2026-05-28 13:44:27

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

url

LinkedIn recruiter / business-partner outreach leading to fake meeting lure

IIM-T010
2
entry

url

https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac

IIM-T010IIM-T020
3
staging

url

https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh

IIM-T020
4
payload

url

https://apple.driver-store.com/mac/arm/driver/coreaudiod

IIM-T020
5
payload

url

https://apple.driver-store.com/mac/intel/driver/coreaudiod

IIM-T020
6
payload

hash

65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6

7
payload

hash

0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21

8
staging

file

~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist

9
c2

domain

datahub.ink

IIM-T011
10
c2

domain

cloud-sync.online

IIM-T011
11
c2

domain

byte-io.us

IIM-T011
12
c2

ip

208.115.220.17

13
c2

ip

185.175.59.85

14
staging

ip

153.92.126.84

15
payload

ip

89.36.224.5

16
payload

ip

84.32.83.250

Relations

directed infrastructure edges
e001referencese002 confirmed
e002downloade003 confirmed
e003downloade004 confirmed
e003downloade005 confirmed
e004referencese006 likely
e005referencese007 likely
e006dropse008 confirmed
e007dropse008 confirmed
e006connecte009 confirmed
e006connecte010 confirmed
e006connecte011 confirmed
e009resolves-toe012 confirmed
e009resolves-toe013 confirmed
e003resolves-toe014 confirmed
e004resolves-toe015 confirmed
e004resolves-toe016 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 url LinkedIn recruiter / business-partner outreach leading to fake meeting lure
Wiz states the actor contacted victims via LinkedIn while impersonating a potential business partner or recruiter.
Wiz states the meeting invite linked to a malicious domain disguised as a legitimate conferencing platform such as Microsoft Teams.
This entity is modeled as the social-engineering entry vector; the exact profile URL is not published by Wiz.
e002 url https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac
Wiz cites a public case where a victim was directed to a fake help page at this URL after a purported Microsoft Teams interview problem.
Wiz says the page instructed the victim to execute a command that downloaded an AUDIOFIX payload.
The domain bitget-meeting.com and subdomains are listed in Wiz network indicators as meeting spoofing infrastructure.
e003 url https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh
Wiz publishes the command that fetches this shell script from apple.driver-update.io.
Wiz lists driver-update.io and apple.driver-update.io as payload delivery infrastructure resolving to 153.92.126.84.
Wiz identifies a dropper hash for Fake audio fix delivered via apple.driver-update.io: 402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c.
e004 url https://apple.driver-store.com/mac/arm/driver/coreaudiod
Wiz shows an example dropper script that downloads the ARM payload from https://apple.driver-store.com/mac/arm/driver/coreaudiod.
Wiz says the script downloaded an architecture-aware payload from the same domain and that the payload masqueraded as a system audio driver named coreaudiod.
driver-store.com and apple.driver-store.com are listed as payload delivery domains resolving to 89.36.224.5 and 84.32.83.250.
e005 url https://apple.driver-store.com/mac/intel/driver/coreaudiod
Wiz shows an example dropper script that downloads the Intel payload from https://apple.driver-store.com/mac/intel/driver/coreaudiod.
Wiz states the payload was compatible with both Intel and Apple Silicon systems.
driver-store.com and apple.driver-store.com are listed as payload delivery domains resolving to 89.36.224.5 and 84.32.83.250.
e006 hash 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6
Wiz lists this SHA-256 as AUDIOFIX HTTPS/ARM64 malware.
Wiz describes AUDIOFIX as a compiled Python infostealer and backdoor used by JINX-0164.
Wiz states AUDIOFIX can exfiltrate secrets, execute Python modules and shell commands, and communicate with C2 over HTTPS.
e007 hash 0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21
Wiz lists this SHA-256 as AUDIOFIX HTTPS/x86_64 malware.
Wiz describes AUDIOFIX as a compiled Python information stealer and backdoor.
Wiz states the variant observed in the incident communicated with its C2 over HTTPS.
e008 file ~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist
Wiz lists this path as persistence of the Python RAT.
Wiz states AUDIOFIX persistence is established via LaunchAgent with RunAtLoad and KeepAlive flags while masquerading as legitimate applications such as Microsoft Teams.
The entity models host persistence created after payload execution, not external network infrastructure.
e009 domain datahub.ink
Wiz states both MINIRAT and AUDIOFIX have the same three domains hard-coded for C2, with datahub.ink as the primary.
Wiz lists datahub.ink as a C&C domain resolving to 208.115.220.17 and 185.175.59.85.
Wiz states at publication only the primary C2 domain had been identified resolving.
e010 domain cloud-sync.online
Wiz lists cloud-sync.online as one of the three hard-coded C2 fallback domains in AUDIOFIX and MINIRAT.
Wiz lists cloud-sync.online in C&C domains with no resolved IP at publication.
Modeled as C2 because it is embedded in the malware as a fallback C2 server.
e011 domain byte-io.us
Wiz lists byte-io.us as one of the three hard-coded C2 fallback domains in AUDIOFIX and MINIRAT.
Wiz lists byte-io.us in C&C domains with no resolved IP at publication.
Modeled as C2 because it is embedded in the malware as a fallback C2 server.
e012 ip 208.115.220.17
Wiz lists datahub.ink resolving to 208.115.220.17 in the C&C domain IOC table.
This IP is modeled only as a resolved target for the primary C2 domain, not independently attributed beyond the report.
e013 ip 185.175.59.85
Wiz lists datahub.ink resolving to 185.175.59.85 in the C&C domain IOC table.
This IP is modeled only as a resolved target for the primary C2 domain, not independently attributed beyond the report.
e014 ip 153.92.126.84
Wiz lists driver-update.io and apple.driver-update.io resolving to 153.92.126.84.
This IP is modeled as infrastructure behind the payload-delivery domain used by the published fake audio-fix command.
e015 ip 89.36.224.5
Wiz lists driver-store.com and apple.driver-store.com resolving to 89.36.224.5 and 84.32.83.250.
The same IP is also used by the supply-chain installer path in the @velora-dex/sdk operation.
In this chain, the IP is modeled as resolved infrastructure for driver-store.com payload delivery.
e016 ip 84.32.83.250
Wiz lists driver-store.com and apple.driver-store.com resolving to 84.32.83.250.
This IP is modeled as resolved infrastructure for the driver-store.com payload delivery layer.

ATT&CK annotations

optional complementary mapping
T1566.002Phishing: Spearphishing Link

LinkedIn lure led to malicious fake meeting / help page.

T1059.004Command and Scripting Interpreter: Unix Shell

Victim instructed to run curl | bash style command.

T1543.001Create or Modify System Process: Launch Agent

AUDIOFIX used LaunchAgent persistence on macOS.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "wiz.2026.jinx-0164-audiofix-fake-driver-macos",
  "title": "JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain",
  "description": "IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.",
  "actor_id": "JINX-0164",
  "observed_at": "2026-05-27T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "url",
      "value": "LinkedIn recruiter / business-partner outreach leading to fake meeting lure",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states the actor contacted victims via LinkedIn while impersonating a potential business partner or recruiter.",
        "Wiz states the meeting invite linked to a malicious domain disguised as a legitimate conferencing platform such as Microsoft Teams.",
        "This entity is modeled as the social-engineering entry vector; the exact profile URL is not published by Wiz."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": false
    },
    {
      "id": "e002",
      "type": "url",
      "value": "https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz cites a public case where a victim was directed to a fake help page at this URL after a purported Microsoft Teams interview problem.",
        "Wiz says the page instructed the victim to execute a command that downloaded an AUDIOFIX payload.",
        "The domain bitget-meeting.com and subdomains are listed in Wiz network indicators as meeting spoofing infrastructure."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_defanged_value": "https://learn.bitget-meeting[.]com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac",
      "x_exact_ioc_published": true
    },
    {
      "id": "e003",
      "type": "url",
      "value": "https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz publishes the command that fetches this shell script from apple.driver-update.io.",
        "Wiz lists driver-update.io and apple.driver-update.io as payload delivery infrastructure resolving to 153.92.126.84.",
        "Wiz identifies a dropper hash for Fake audio fix delivered via apple.driver-update.io: 402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_defanged_value": "https://apple.driver-update[.]io/troubleshoot/mac/audio-issue-fix.sh",
      "x_dropper_sha256": "402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c",
      "x_exact_ioc_published": true
    },
    {
      "id": "e004",
      "type": "url",
      "value": "https://apple.driver-store.com/mac/arm/driver/coreaudiod",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz shows an example dropper script that downloads the ARM payload from https://apple.driver-store.com/mac/arm/driver/coreaudiod.",
        "Wiz says the script downloaded an architecture-aware payload from the same domain and that the payload masqueraded as a system audio driver named coreaudiod.",
        "driver-store.com and apple.driver-store.com are listed as payload delivery domains resolving to 89.36.224.5 and 84.32.83.250."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_defanged_value": "https://apple.driver-store[.]com/mac/arm/driver/coreaudiod",
      "x_architecture": "arm64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e005",
      "type": "url",
      "value": "https://apple.driver-store.com/mac/intel/driver/coreaudiod",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz shows an example dropper script that downloads the Intel payload from https://apple.driver-store.com/mac/intel/driver/coreaudiod.",
        "Wiz states the payload was compatible with both Intel and Apple Silicon systems.",
        "driver-store.com and apple.driver-store.com are listed as payload delivery domains resolving to 89.36.224.5 and 84.32.83.250."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_defanged_value": "https://apple.driver-store[.]com/mac/intel/driver/coreaudiod",
      "x_architecture": "x86_64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e006",
      "type": "hash",
      "value": "65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as AUDIOFIX HTTPS/ARM64 malware.",
        "Wiz describes AUDIOFIX as a compiled Python infostealer and backdoor used by JINX-0164.",
        "Wiz states AUDIOFIX can exfiltrate secrets, execute Python modules and shell commands, and communicate with C2 over HTTPS."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "AUDIOFIX",
      "x_architecture": "arm64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e007",
      "type": "hash",
      "value": "0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as AUDIOFIX HTTPS/x86_64 malware.",
        "Wiz describes AUDIOFIX as a compiled Python information stealer and backdoor.",
        "Wiz states the variant observed in the incident communicated with its C2 over HTTPS."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "AUDIOFIX",
      "x_architecture": "x86_64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e008",
      "type": "file",
      "value": "~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this path as persistence of the Python RAT.",
        "Wiz states AUDIOFIX persistence is established via LaunchAgent with RunAtLoad and KeepAlive flags while masquerading as legitimate applications such as Microsoft Teams.",
        "The entity models host persistence created after payload execution, not external network infrastructure."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e009",
      "type": "domain",
      "value": "datahub.ink",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states both MINIRAT and AUDIOFIX have the same three domains hard-coded for C2, with datahub.ink as the primary.",
        "Wiz lists datahub.ink as a C&C domain resolving to 208.115.220.17 and 185.175.59.85.",
        "Wiz states at publication only the primary C2 domain had been identified resolving."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e010",
      "type": "domain",
      "value": "cloud-sync.online",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists cloud-sync.online as one of the three hard-coded C2 fallback domains in AUDIOFIX and MINIRAT.",
        "Wiz lists cloud-sync.online in C&C domains with no resolved IP at publication.",
        "Modeled as C2 because it is embedded in the malware as a fallback C2 server."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e011",
      "type": "domain",
      "value": "byte-io.us",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists byte-io.us as one of the three hard-coded C2 fallback domains in AUDIOFIX and MINIRAT.",
        "Wiz lists byte-io.us in C&C domains with no resolved IP at publication.",
        "Modeled as C2 because it is embedded in the malware as a fallback C2 server."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e012",
      "type": "ip",
      "value": "208.115.220.17",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists datahub.ink resolving to 208.115.220.17 in the C&C domain IOC table.",
        "This IP is modeled only as a resolved target for the primary C2 domain, not independently attributed beyond the report."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e013",
      "type": "ip",
      "value": "185.175.59.85",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists datahub.ink resolving to 185.175.59.85 in the C&C domain IOC table.",
        "This IP is modeled only as a resolved target for the primary C2 domain, not independently attributed beyond the report."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e014",
      "type": "ip",
      "value": "153.92.126.84",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists driver-update.io and apple.driver-update.io resolving to 153.92.126.84.",
        "This IP is modeled as infrastructure behind the payload-delivery domain used by the published fake audio-fix command."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e015",
      "type": "ip",
      "value": "89.36.224.5",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists driver-store.com and apple.driver-store.com resolving to 89.36.224.5 and 84.32.83.250.",
        "The same IP is also used by the supply-chain installer path in the @velora-dex/sdk operation.",
        "In this chain, the IP is modeled as resolved infrastructure for driver-store.com payload delivery."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e016",
      "type": "ip",
      "value": "84.32.83.250",
      "observed_at": "2026-05-27T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists driver-store.com and apple.driver-store.com resolving to 84.32.83.250.",
        "This IP is modeled as resolved infrastructure for the driver-store.com payload delivery layer."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T010"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "techniques": [
        "IIM-T010",
        "IIM-T020"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T020"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e004",
      "role": "payload",
      "techniques": [
        "IIM-T020"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e005",
      "role": "payload",
      "techniques": [
        "IIM-T020"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e006",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e008",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e009",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e010",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e013",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e014",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e015",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e016",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "references",
      "sequence_order": 1,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz describes LinkedIn outreach followed by a fake meeting / technical-error page."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz publishes the fake help page and command downloading audio-issue-fix.sh from apple.driver-update.io."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "download",
      "sequence_order": 3,
      "confidence": "confirmed",
      "x_evidence": [
        "The Wiz dropper script downloads the ARM coreaudiod payload from apple.driver-store.com."
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "download",
      "sequence_order": 4,
      "confidence": "confirmed",
      "x_evidence": [
        "The Wiz dropper script downloads the Intel coreaudiod payload from apple.driver-store.com."
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "references",
      "sequence_order": 5,
      "confidence": "likely",
      "x_evidence": [
        "Wiz lists the ARM64 AUDIOFIX HTTPS hash; the URL path is the ARM payload path. The exact URL-to-hash mapping is strongly implied but not published as a hash-per-URL table."
      ]
    },
    {
      "from": "e005",
      "to": "e007",
      "type": "references",
      "sequence_order": 6,
      "confidence": "likely",
      "x_evidence": [
        "Wiz lists the x86_64 AUDIOFIX HTTPS hash; the URL path is the Intel payload path. The exact URL-to-hash mapping is strongly implied but not published as a hash-per-URL table."
      ]
    },
    {
      "from": "e006",
      "to": "e008",
      "type": "drops",
      "sequence_order": 7,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states AUDIOFIX establishes LaunchAgent persistence and lists the Microsoft Teams coreaudiod plist path."
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "drops",
      "sequence_order": 8,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states AUDIOFIX establishes LaunchAgent persistence and lists the Microsoft Teams coreaudiod plist path."
      ]
    },
    {
      "from": "e006",
      "to": "e009",
      "type": "connect",
      "sequence_order": 9,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states AUDIOFIX has datahub.ink, cloud-sync.online and byte-io.us hard-coded as C2 domains."
      ]
    },
    {
      "from": "e006",
      "to": "e010",
      "type": "connect",
      "sequence_order": 10,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states AUDIOFIX uses the same three hard-coded C2 domains."
      ]
    },
    {
      "from": "e006",
      "to": "e011",
      "type": "connect",
      "sequence_order": 11,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states AUDIOFIX uses the same three hard-coded C2 domains."
      ]
    },
    {
      "from": "e009",
      "to": "e012",
      "type": "resolves-to",
      "sequence_order": 12,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists datahub.ink resolving to 208.115.220.17."
      ]
    },
    {
      "from": "e009",
      "to": "e013",
      "type": "resolves-to",
      "sequence_order": 13,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists datahub.ink resolving to 185.175.59.85."
      ]
    },
    {
      "from": "e003",
      "to": "e014",
      "type": "resolves-to",
      "sequence_order": 14,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists driver-update.io / apple.driver-update.io resolving to 153.92.126.84."
      ]
    },
    {
      "from": "e004",
      "to": "e015",
      "type": "resolves-to",
      "sequence_order": 15,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists driver-store.com / apple.driver-store.com resolving to 89.36.224.5."
      ]
    },
    {
      "from": "e004",
      "to": "e016",
      "type": "resolves-to",
      "sequence_order": 16,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists driver-store.com / apple.driver-store.com resolving to 84.32.83.250."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.002",
      "name": "Phishing: Spearphishing Link",
      "tactic": "Initial Access",
      "comment": "LinkedIn lure led to malicious fake meeting / help page."
    },
    {
      "technique_id": "T1059.004",
      "name": "Command and Scripting Interpreter: Unix Shell",
      "tactic": "Execution",
      "comment": "Victim instructed to run curl | bash style command."
    },
    {
      "technique_id": "T1543.001",
      "name": "Create or Modify System Process: Launch Agent",
      "tactic": "Persistence",
      "comment": "AUDIOFIX used LaunchAgent persistence on macOS."
    }
  ],
  "x_publication_date": "2026-05-27",
  "x_source_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
  "x_source_title": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
  "x_modeling_notes": [
    "The exact LinkedIn profile, victim-specific meeting domain for the main case, and any unpublished per-victim URLs are not invented.",
    "URL-to-hash relations for architecture-specific payloads are marked likely where Wiz gives both URL pattern and hashes but not an explicit per-URL hash mapping.",
    "cloud-sync.online and byte-io.us are modeled as C2 domains but have no resolved IP in the Wiz IOC table."
  ]
}