wiz.2026.jinx-0164-audiofix-fake-driver-macos
JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain
IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsurl
LinkedIn recruiter / business-partner outreach leading to fake meeting lure
url
https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac
url
https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh
url
https://apple.driver-store.com/mac/arm/driver/coreaudiod
url
https://apple.driver-store.com/mac/intel/driver/coreaudiod
hash
65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6
hash
0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21
file
~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist
domain
datahub.ink
domain
cloud-sync.online
domain
byte-io.us
ip
208.115.220.17
ip
185.175.59.85
ip
153.92.126.84
ip
89.36.224.5
ip
84.32.83.250
Relations
directed infrastructure edgese001referencese002
confirmed
e002downloade003
confirmed
e003downloade004
confirmed
e003downloade005
confirmed
e004referencese006
likely
e005referencese007
likely
e006dropse008
confirmed
e007dropse008
confirmed
e006connecte009
confirmed
e006connecte010
confirmed
e006connecte011
confirmed
e009resolves-toe012
confirmed
e009resolves-toe013
confirmed
e003resolves-toe014
confirmed
e004resolves-toe015
confirmed
e004resolves-toe016
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
url | LinkedIn recruiter / business-partner outreach leading to fake meeting lure |
Wiz states the actor contacted victims via LinkedIn while impersonating a potential business partner or recruiter. Wiz states the meeting invite linked to a malicious domain disguised as a legitimate conferencing platform such as Microsoft Teams. This entity is modeled as the social-engineering entry vector; the exact profile URL is not published by Wiz. |
e002 |
url | https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac |
Wiz cites a public case where a victim was directed to a fake help page at this URL after a purported Microsoft Teams interview problem. Wiz says the page instructed the victim to execute a command that downloaded an AUDIOFIX payload. The domain bitget-meeting.com and subdomains are listed in Wiz network indicators as meeting spoofing infrastructure. |
e003 |
url | https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh |
Wiz publishes the command that fetches this shell script from apple.driver-update.io. Wiz lists driver-update.io and apple.driver-update.io as payload delivery infrastructure resolving to 153.92.126.84. Wiz identifies a dropper hash for Fake audio fix delivered via apple.driver-update.io: 402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c. |
e004 |
url | https://apple.driver-store.com/mac/arm/driver/coreaudiod |
Wiz shows an example dropper script that downloads the ARM payload from https://apple.driver-store.com/mac/arm/driver/coreaudiod. Wiz says the script downloaded an architecture-aware payload from the same domain and that the payload masqueraded as a system audio driver named coreaudiod. driver-store.com and apple.driver-store.com are listed as payload delivery domains resolving to 89.36.224.5 and 84.32.83.250. |
e005 |
url | https://apple.driver-store.com/mac/intel/driver/coreaudiod |
Wiz shows an example dropper script that downloads the Intel payload from https://apple.driver-store.com/mac/intel/driver/coreaudiod. Wiz states the payload was compatible with both Intel and Apple Silicon systems. driver-store.com and apple.driver-store.com are listed as payload delivery domains resolving to 89.36.224.5 and 84.32.83.250. |
e006 |
hash | 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6 |
Wiz lists this SHA-256 as AUDIOFIX HTTPS/ARM64 malware. Wiz describes AUDIOFIX as a compiled Python infostealer and backdoor used by JINX-0164. Wiz states AUDIOFIX can exfiltrate secrets, execute Python modules and shell commands, and communicate with C2 over HTTPS. |
e007 |
hash | 0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21 |
Wiz lists this SHA-256 as AUDIOFIX HTTPS/x86_64 malware. Wiz describes AUDIOFIX as a compiled Python information stealer and backdoor. Wiz states the variant observed in the incident communicated with its C2 over HTTPS. |
e008 |
file | ~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist |
Wiz lists this path as persistence of the Python RAT. Wiz states AUDIOFIX persistence is established via LaunchAgent with RunAtLoad and KeepAlive flags while masquerading as legitimate applications such as Microsoft Teams. The entity models host persistence created after payload execution, not external network infrastructure. |
e009 |
domain | datahub.ink |
Wiz states both MINIRAT and AUDIOFIX have the same three domains hard-coded for C2, with datahub.ink as the primary. Wiz lists datahub.ink as a C&C domain resolving to 208.115.220.17 and 185.175.59.85. Wiz states at publication only the primary C2 domain had been identified resolving. |
e010 |
domain | cloud-sync.online |
Wiz lists cloud-sync.online as one of the three hard-coded C2 fallback domains in AUDIOFIX and MINIRAT. Wiz lists cloud-sync.online in C&C domains with no resolved IP at publication. Modeled as C2 because it is embedded in the malware as a fallback C2 server. |
e011 |
domain | byte-io.us |
Wiz lists byte-io.us as one of the three hard-coded C2 fallback domains in AUDIOFIX and MINIRAT. Wiz lists byte-io.us in C&C domains with no resolved IP at publication. Modeled as C2 because it is embedded in the malware as a fallback C2 server. |
e012 |
ip | 208.115.220.17 |
Wiz lists datahub.ink resolving to 208.115.220.17 in the C&C domain IOC table. This IP is modeled only as a resolved target for the primary C2 domain, not independently attributed beyond the report. |
e013 |
ip | 185.175.59.85 |
Wiz lists datahub.ink resolving to 185.175.59.85 in the C&C domain IOC table. This IP is modeled only as a resolved target for the primary C2 domain, not independently attributed beyond the report. |
e014 |
ip | 153.92.126.84 |
Wiz lists driver-update.io and apple.driver-update.io resolving to 153.92.126.84. This IP is modeled as infrastructure behind the payload-delivery domain used by the published fake audio-fix command. |
e015 |
ip | 89.36.224.5 |
Wiz lists driver-store.com and apple.driver-store.com resolving to 89.36.224.5 and 84.32.83.250. The same IP is also used by the supply-chain installer path in the @velora-dex/sdk operation. In this chain, the IP is modeled as resolved infrastructure for driver-store.com payload delivery. |
e016 |
ip | 84.32.83.250 |
Wiz lists driver-store.com and apple.driver-store.com resolving to 84.32.83.250. This IP is modeled as resolved infrastructure for the driver-store.com payload delivery layer. |
ATT&CK annotations
optional complementary mappingLinkedIn lure led to malicious fake meeting / help page.
Victim instructed to run curl | bash style command.
AUDIOFIX used LaunchAgent persistence on macOS.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "wiz.2026.jinx-0164-audiofix-fake-driver-macos",
"title": "JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain",
"description": "IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.",
"actor_id": "JINX-0164",
"observed_at": "2026-05-27T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"entities": [
{
"id": "e001",
"type": "url",
"value": "LinkedIn recruiter / business-partner outreach leading to fake meeting lure",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz states the actor contacted victims via LinkedIn while impersonating a potential business partner or recruiter.",
"Wiz states the meeting invite linked to a malicious domain disguised as a legitimate conferencing platform such as Microsoft Teams.",
"This entity is modeled as the social-engineering entry vector; the exact profile URL is not published by Wiz."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": false
},
{
"id": "e002",
"type": "url",
"value": "https://learn.bitget-meeting.com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz cites a public case where a victim was directed to a fake help page at this URL after a purported Microsoft Teams interview problem.",
"Wiz says the page instructed the victim to execute a command that downloaded an AUDIOFIX payload.",
"The domain bitget-meeting.com and subdomains are listed in Wiz network indicators as meeting spoofing infrastructure."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_defanged_value": "https://learn.bitget-meeting[.]com/en-us/troubleshoot/microsoftteams/teams-on-mac/teams-audio-issue-mac",
"x_exact_ioc_published": true
},
{
"id": "e003",
"type": "url",
"value": "https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz publishes the command that fetches this shell script from apple.driver-update.io.",
"Wiz lists driver-update.io and apple.driver-update.io as payload delivery infrastructure resolving to 153.92.126.84.",
"Wiz identifies a dropper hash for Fake audio fix delivered via apple.driver-update.io: 402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_defanged_value": "https://apple.driver-update[.]io/troubleshoot/mac/audio-issue-fix.sh",
"x_dropper_sha256": "402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0549007c",
"x_exact_ioc_published": true
},
{
"id": "e004",
"type": "url",
"value": "https://apple.driver-store.com/mac/arm/driver/coreaudiod",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz shows an example dropper script that downloads the ARM payload from https://apple.driver-store.com/mac/arm/driver/coreaudiod.",
"Wiz says the script downloaded an architecture-aware payload from the same domain and that the payload masqueraded as a system audio driver named coreaudiod.",
"driver-store.com and apple.driver-store.com are listed as payload delivery domains resolving to 89.36.224.5 and 84.32.83.250."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_defanged_value": "https://apple.driver-store[.]com/mac/arm/driver/coreaudiod",
"x_architecture": "arm64",
"x_exact_ioc_published": true
},
{
"id": "e005",
"type": "url",
"value": "https://apple.driver-store.com/mac/intel/driver/coreaudiod",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz shows an example dropper script that downloads the Intel payload from https://apple.driver-store.com/mac/intel/driver/coreaudiod.",
"Wiz states the payload was compatible with both Intel and Apple Silicon systems.",
"driver-store.com and apple.driver-store.com are listed as payload delivery domains resolving to 89.36.224.5 and 84.32.83.250."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_defanged_value": "https://apple.driver-store[.]com/mac/intel/driver/coreaudiod",
"x_architecture": "x86_64",
"x_exact_ioc_published": true
},
{
"id": "e006",
"type": "hash",
"value": "65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists this SHA-256 as AUDIOFIX HTTPS/ARM64 malware.",
"Wiz describes AUDIOFIX as a compiled Python infostealer and backdoor used by JINX-0164.",
"Wiz states AUDIOFIX can exfiltrate secrets, execute Python modules and shell commands, and communicate with C2 over HTTPS."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_malware_family": "AUDIOFIX",
"x_architecture": "arm64",
"x_exact_ioc_published": true
},
{
"id": "e007",
"type": "hash",
"value": "0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5d21",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists this SHA-256 as AUDIOFIX HTTPS/x86_64 malware.",
"Wiz describes AUDIOFIX as a compiled Python information stealer and backdoor.",
"Wiz states the variant observed in the incident communicated with its C2 over HTTPS."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_malware_family": "AUDIOFIX",
"x_architecture": "x86_64",
"x_exact_ioc_published": true
},
{
"id": "e008",
"type": "file",
"value": "~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists this path as persistence of the Python RAT.",
"Wiz states AUDIOFIX persistence is established via LaunchAgent with RunAtLoad and KeepAlive flags while masquerading as legitimate applications such as Microsoft Teams.",
"The entity models host persistence created after payload execution, not external network infrastructure."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e009",
"type": "domain",
"value": "datahub.ink",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz states both MINIRAT and AUDIOFIX have the same three domains hard-coded for C2, with datahub.ink as the primary.",
"Wiz lists datahub.ink as a C&C domain resolving to 208.115.220.17 and 185.175.59.85.",
"Wiz states at publication only the primary C2 domain had been identified resolving."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e010",
"type": "domain",
"value": "cloud-sync.online",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists cloud-sync.online as one of the three hard-coded C2 fallback domains in AUDIOFIX and MINIRAT.",
"Wiz lists cloud-sync.online in C&C domains with no resolved IP at publication.",
"Modeled as C2 because it is embedded in the malware as a fallback C2 server."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e011",
"type": "domain",
"value": "byte-io.us",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists byte-io.us as one of the three hard-coded C2 fallback domains in AUDIOFIX and MINIRAT.",
"Wiz lists byte-io.us in C&C domains with no resolved IP at publication.",
"Modeled as C2 because it is embedded in the malware as a fallback C2 server."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e012",
"type": "ip",
"value": "208.115.220.17",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists datahub.ink resolving to 208.115.220.17 in the C&C domain IOC table.",
"This IP is modeled only as a resolved target for the primary C2 domain, not independently attributed beyond the report."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e013",
"type": "ip",
"value": "185.175.59.85",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists datahub.ink resolving to 185.175.59.85 in the C&C domain IOC table.",
"This IP is modeled only as a resolved target for the primary C2 domain, not independently attributed beyond the report."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e014",
"type": "ip",
"value": "153.92.126.84",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists driver-update.io and apple.driver-update.io resolving to 153.92.126.84.",
"This IP is modeled as infrastructure behind the payload-delivery domain used by the published fake audio-fix command."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e015",
"type": "ip",
"value": "89.36.224.5",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists driver-store.com and apple.driver-store.com resolving to 89.36.224.5 and 84.32.83.250.",
"The same IP is also used by the supply-chain installer path in the @velora-dex/sdk operation.",
"In this chain, the IP is modeled as resolved infrastructure for driver-store.com payload delivery."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e016",
"type": "ip",
"value": "84.32.83.250",
"observed_at": "2026-05-27T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists driver-store.com and apple.driver-store.com resolving to 84.32.83.250.",
"This IP is modeled as resolved infrastructure for the driver-store.com payload delivery layer."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [
"IIM-T010"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e002",
"role": "entry",
"techniques": [
"IIM-T010",
"IIM-T020"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e003",
"role": "staging",
"techniques": [
"IIM-T020"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e004",
"role": "payload",
"techniques": [
"IIM-T020"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e005",
"role": "payload",
"techniques": [
"IIM-T020"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e006",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e007",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e008",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e009",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e010",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e011",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e012",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e013",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e014",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e015",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e016",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "references",
"sequence_order": 1,
"confidence": "confirmed",
"x_evidence": [
"Wiz describes LinkedIn outreach followed by a fake meeting / technical-error page."
]
},
{
"from": "e002",
"to": "e003",
"type": "download",
"sequence_order": 2,
"confidence": "confirmed",
"x_evidence": [
"Wiz publishes the fake help page and command downloading audio-issue-fix.sh from apple.driver-update.io."
]
},
{
"from": "e003",
"to": "e004",
"type": "download",
"sequence_order": 3,
"confidence": "confirmed",
"x_evidence": [
"The Wiz dropper script downloads the ARM coreaudiod payload from apple.driver-store.com."
]
},
{
"from": "e003",
"to": "e005",
"type": "download",
"sequence_order": 4,
"confidence": "confirmed",
"x_evidence": [
"The Wiz dropper script downloads the Intel coreaudiod payload from apple.driver-store.com."
]
},
{
"from": "e004",
"to": "e006",
"type": "references",
"sequence_order": 5,
"confidence": "likely",
"x_evidence": [
"Wiz lists the ARM64 AUDIOFIX HTTPS hash; the URL path is the ARM payload path. The exact URL-to-hash mapping is strongly implied but not published as a hash-per-URL table."
]
},
{
"from": "e005",
"to": "e007",
"type": "references",
"sequence_order": 6,
"confidence": "likely",
"x_evidence": [
"Wiz lists the x86_64 AUDIOFIX HTTPS hash; the URL path is the Intel payload path. The exact URL-to-hash mapping is strongly implied but not published as a hash-per-URL table."
]
},
{
"from": "e006",
"to": "e008",
"type": "drops",
"sequence_order": 7,
"confidence": "confirmed",
"x_evidence": [
"Wiz states AUDIOFIX establishes LaunchAgent persistence and lists the Microsoft Teams coreaudiod plist path."
]
},
{
"from": "e007",
"to": "e008",
"type": "drops",
"sequence_order": 8,
"confidence": "confirmed",
"x_evidence": [
"Wiz states AUDIOFIX establishes LaunchAgent persistence and lists the Microsoft Teams coreaudiod plist path."
]
},
{
"from": "e006",
"to": "e009",
"type": "connect",
"sequence_order": 9,
"confidence": "confirmed",
"x_evidence": [
"Wiz states AUDIOFIX has datahub.ink, cloud-sync.online and byte-io.us hard-coded as C2 domains."
]
},
{
"from": "e006",
"to": "e010",
"type": "connect",
"sequence_order": 10,
"confidence": "confirmed",
"x_evidence": [
"Wiz states AUDIOFIX uses the same three hard-coded C2 domains."
]
},
{
"from": "e006",
"to": "e011",
"type": "connect",
"sequence_order": 11,
"confidence": "confirmed",
"x_evidence": [
"Wiz states AUDIOFIX uses the same three hard-coded C2 domains."
]
},
{
"from": "e009",
"to": "e012",
"type": "resolves-to",
"sequence_order": 12,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists datahub.ink resolving to 208.115.220.17."
]
},
{
"from": "e009",
"to": "e013",
"type": "resolves-to",
"sequence_order": 13,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists datahub.ink resolving to 185.175.59.85."
]
},
{
"from": "e003",
"to": "e014",
"type": "resolves-to",
"sequence_order": 14,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists driver-update.io / apple.driver-update.io resolving to 153.92.126.84."
]
},
{
"from": "e004",
"to": "e015",
"type": "resolves-to",
"sequence_order": 15,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists driver-store.com / apple.driver-store.com resolving to 89.36.224.5."
]
},
{
"from": "e004",
"to": "e016",
"type": "resolves-to",
"sequence_order": 16,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists driver-store.com / apple.driver-store.com resolving to 84.32.83.250."
]
}
],
"attack_annotations": [
{
"technique_id": "T1566.002",
"name": "Phishing: Spearphishing Link",
"tactic": "Initial Access",
"comment": "LinkedIn lure led to malicious fake meeting / help page."
},
{
"technique_id": "T1059.004",
"name": "Command and Scripting Interpreter: Unix Shell",
"tactic": "Execution",
"comment": "Victim instructed to run curl | bash style command."
},
{
"technique_id": "T1543.001",
"name": "Create or Modify System Process: Launch Agent",
"tactic": "Persistence",
"comment": "AUDIOFIX used LaunchAgent persistence on macOS."
}
],
"x_publication_date": "2026-05-27",
"x_source_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_source_title": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"x_modeling_notes": [
"The exact LinkedIn profile, victim-specific meeting domain for the main case, and any unpublished per-victim URLs are not invented.",
"URL-to-hash relations for architecture-specific payloads are marked likely where Wiz gives both URL pattern and hashes but not an explicit per-URL hash mapping.",
"cloud-sync.online and byte-io.us are modeled as C2 domains but have no resolved IP in the Wiz IOC table."
]
}