TL;DR
Researchers have identified a social engineering campaign targeting finance and crypto professionals that uses Obsidian shared vaults to deploy a new RAT called PHANTOMPULSE. The attack leverages malicious plugins and blockchain-based C2, making detection and takedown difficult.
Cybersecurity researchers have confirmed a targeted social engineering campaign that exploits the Obsidian note-taking app to deploy a previously undocumented remote access trojan, PHANTOMPULSE, affecting users in the financial and cryptocurrency sectors.
The attack involves threat actors posing as venture capitalists on LinkedIn and Telegram, engaging targets in private conversations before inviting them to collaborate via a shared Obsidian vault hosted in the cloud. Once the victim opens the shared vault, they are prompted to enable community plugins, which is exploited to execute malicious code.
Enabling these plugins allows the attacker to run scripts that drop a loader called PHANTOMPULL, which decrypts and launches the PHANTOMPULSE RAT directly into memory, avoiding traditional file-based detection. The malware then uses a novel command-and-control mechanism, querying the Ethereum blockchain for instructions through a hard-coded wallet address, making its C2 infrastructure decentralized and resistant to disruption.
Why It Matters
This development demonstrates an advanced level of cyber threat sophistication, combining social engineering with blockchain-based C2 infrastructure. The malware’s capabilities include keystroke capture, screenshots, file exfiltration, and remote command execution, posing a significant risk to high-value targets in finance and crypto industries. The use of legitimate application features and decentralized C2 makes detection and mitigation more challenging, raising concerns about the security of collaboration tools in professional environments.
Malware Data Science: Attack Detection and Attribution
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Obsidian, a popular note-taking application, has a vibrant community of third-party plugins, some of which require user approval for installation. Recent security incidents have shown that attackers are exploiting this ecosystem through social engineering to deliver malware. The specific campaign identified as REF6598 is notable for its focus on high-value sectors and its use of sophisticated techniques, including blockchain-based command-and-control, which is uncommon in typical malware campaigns.
“This campaign illustrates how legitimate productivity tools can be weaponized through social engineering and malicious plugins, especially when targeting high-value sectors like finance and crypto.”
— Cybersecurity researcher
“Users should exercise caution when enabling community plugins and verify their sources before installation.”
— Obsidian security team
Practical Digital Forensics: Memory & Malware Analysis for Investigators (Practical Digital Forensics: Real-World Case Studies and Tools Book 6)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet confirmed how widespread the campaign is or whether additional malware variants are in development. Details about the full scope of affected users and the exact methods used to craft the malicious shared vaults remain under investigation. The effectiveness of current detection methods against blockchain-based C2 communication is also still being evaluated.
secure note-taking app with plugin control
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Security vendors are expected to release detection signatures and mitigation guidelines. Researchers will continue monitoring for similar campaigns and analyze the malware’s infrastructure to identify potential takedown opportunities. Users and organizations are advised to review their security policies regarding third-party plugins and shared collaboration tools.
Finance (Quick Study Business)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How does the PHANTOMPULSE RAT infect systems?
The infection occurs when a victim opens a malicious shared Obsidian vault, enables community plugins, and unwittingly executes malicious scripts that drop and run the RAT in memory.
What makes PHANTOMPULSE difficult to detect?
It uses in-memory execution, avoids file-based detection, and employs blockchain queries for command-and-control, making traditional antivirus and network defenses less effective.
Who is at risk from this campaign?
Professionals in finance and cryptocurrency sectors who use Obsidian and engage in collaboration via shared vaults are primary targets.
What precautions can users take?
Users should avoid enabling community plugins from untrusted sources, disable auto-sync for unknown vaults, and follow best practices for application security and user training.
Will this campaign continue or evolve?
While the specific campaign is ongoing, experts expect threat actors may adapt similar techniques, making vigilance and updated defenses essential.
