TL;DR
A targeted social engineering campaign has exploited the Obsidian note-taking app to deploy a new sophisticated RAT called PHANTOMPULSE. Attackers use shared vaults and malicious plugins to infect Windows and macOS systems, with C2 communications leveraging the Ethereum blockchain.
Security researchers have confirmed that a social engineering campaign is actively using the Obsidian note-taking application to deploy a previously undocumented remote access trojan named PHANTOMPULSE, targeting individuals in finance and cryptocurrency sectors on Windows and macOS.
The campaign involves attackers posing as venture capitalists on platforms like LinkedIn and Telegram, engaging targets in private conversations before inviting them to collaborate via a shared, cloud-hosted Obsidian vault. Victims are manipulated into enabling community plugins within Obsidian, which triggers malicious scripts that ultimately deploy PHANTOMPULSE.
Once activated, the RAT can perform keystroke logging, screen captures, file exfiltration, and remote command execution. Notably, PHANTOMPULSE uses the Ethereum blockchain to dynamically resolve its command-and-control (C2) server addresses, making it difficult to disrupt or takedown.
Why It Matters
This development demonstrates a high level of sophistication in malware deployment, combining social engineering with advanced persistence techniques. The use of blockchain for C2 communication complicates traditional detection and takedown efforts, posing a significant threat to high-value targets in finance and crypto sectors.
Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
The campaign, identified as REF6598, is part of a broader trend of threat actors leveraging legitimate productivity tools for malicious purposes. Prior to this, Obsidian was considered relatively secure and primarily used for note-taking and knowledge management. This incident marks a shift towards exploiting popular third-party plugins and social engineering to bypass security measures.
“The use of blockchain for command-and-control makes PHANTOMPULSE highly resilient against traditional takedown tactics.”
— Cybersecurity researcher
“Users should exercise caution when enabling community plugins, especially from untrusted sources.”
— Obsidian security team
The Art of Mac Malware, Volume 2: Detecting Malicious Software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how widespread the campaign is, whether additional variants of PHANTOMPULSE exist, and what specific defenses will be most effective against future iterations. Details about the full scope of affected victims are still emerging.
Cyber Incident Response Workbook (AI-Driven Finance Series)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Security firms and Obsidian developers are expected to release guidance on detecting and preventing such attacks. Organizations should review their plugin policies, implement user training, and monitor network activity for blockchain-related C2 signals. Further technical analysis of PHANTOMPULSE is anticipated to inform defense strategies.
Artificial Intelligence, Machine Learning and Blockchain in Digital Twin Computing (Advances in Digital Twin Computing and Sensor Networks)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How does the attack infect systems through Obsidian?
The attack relies on social engineering to persuade victims to enable malicious community plugins within shared Obsidian vaults, which then execute scripts that deploy the RAT.
What makes PHANTOMPULSE difficult to detect?
It decrypts and runs its payload directly in memory, and uses blockchain transactions to resolve its C2 address, avoiding traditional network detection methods.
Who is most at risk from this campaign?
Professionals in finance, cryptocurrency, and related sectors who use Obsidian for collaboration are primary targets, especially if they are engaged in social engineering schemes.
What can users do to protect themselves?
Users should avoid enabling community plugins from untrusted sources, disable auto-sync on unknown vaults, and follow best practices for endpoint security and user training.
