Obsidian plugin was abused to deploy a remote access trojan

Security researchers have confirmed that a social engineering campaign is actively using the Obsidian note-taking application to deploy a previously undocumented remote access trojan named PHANTOMPULSE, targeting individuals in finance and cryptocurrency sectors on Windows and macOS.

The campaign involves attackers posing as venture capitalists on platforms like LinkedIn and Telegram, engaging targets in private conversations before inviting them to collaborate via a shared, cloud-hosted Obsidian vault. Victims are manipulated into enabling community plugins within Obsidian, which triggers malicious scripts that ultimately deploy PHANTOMPULSE.

Once activated, the RAT can perform keystroke logging, screen captures, file exfiltration, and remote command execution. Notably, PHANTOMPULSE uses the Ethereum blockchain to dynamically resolve its command-and-control (C2) server addresses, making it difficult to disrupt or takedown.

Why It Matters

This development demonstrates a high level of sophistication in malware deployment, combining social engineering with advanced persistence techniques. The use of blockchain for C2 communication complicates traditional detection and takedown efforts, posing a significant threat to high-value targets in finance and crypto sectors.

Background

The campaign, identified as REF6598, is part of a broader trend of threat actors leveraging legitimate productivity tools for malicious purposes. Prior to this, Obsidian was considered relatively secure and primarily used for note-taking and knowledge management. This incident marks a shift towards exploiting popular third-party plugins and social engineering to bypass security measures.

“The use of blockchain for command-and-control makes PHANTOMPULSE highly resilient against traditional takedown tactics.”

— Cybersecurity researcher

“Users should exercise caution when enabling community plugins, especially from untrusted sources.”

— Obsidian security team

What Remains Unclear

It remains unclear how widespread the campaign is, whether additional variants of PHANTOMPULSE exist, and what specific defenses will be most effective against future iterations. Details about the full scope of affected victims are still emerging.

What’s Next

Security firms and Obsidian developers are expected to release guidance on detecting and preventing such attacks. Organizations should review their plugin policies, implement user training, and monitor network activity for blockchain-related C2 signals. Further technical analysis of PHANTOMPULSE is anticipated to inform defense strategies.

Key Questions

How does the attack infect systems through Obsidian?

The attack relies on social engineering to persuade victims to enable malicious community plugins within shared Obsidian vaults, which then execute scripts that deploy the RAT.

What makes PHANTOMPULSE difficult to detect?

It decrypts and runs its payload directly in memory, and uses blockchain transactions to resolve its C2 address, avoiding traditional network detection methods.

Who is most at risk from this campaign?

Professionals in finance, cryptocurrency, and related sectors who use Obsidian for collaboration are primary targets, especially if they are engaged in social engineering schemes.

What can users do to protect themselves?

Users should avoid enabling community plugins from untrusted sources, disable auto-sync on unknown vaults, and follow best practices for endpoint security and user training.