Wiz Research identified an active threat campaign targeting cryptocurrency organizations and software development infrastructure through social engineering, malicious meeting lures, and supply chain compromise activity. The campaign leveraged fake business interactions and trojanized software to gain access to developer environments, steal credentials, and establish persistent access to cloud and CI/CD infrastructure.
The attack chain began with social engineering via fake business outreach and meeting invitations, often impersonating legitimate organizations or recruiters. Victims were directed to malicious meeting platforms that delivered malware payloads, including the AUDIODFX information stealer and the MINIRAT backdoor. The malware targeted browser credentials, cryptocurrency wallets, cloud credentials, SSH keys, browser sessions, and development-related secrets.
Wiz Research also observed supply chain activity involving malicious npm packages and attempts to compromise developer workflows and CI/CD environments. The actor leveraged stolen credentials to access GitHub repositories and CI/CD pipelines, including attempts to overwrite GitHub Actions secrets directly from compromised endpoints. The campaign included extensive VPN and residential proxy usage, likely intended to evade detection and obscure operator infrastructure.