top of page
perceptive_background_267k.jpg

Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks

Published:

16 april 2026 om 11:02:00

Alert date:

16 april 2026 om 12:01:34

Source:

thehackernews.com

Click to open the original link from this advisory

Enterprise Applications, Ransomware & Malware, Data Breach & Exfiltration

A novel social engineering campaign dubbed REF6598 by Elastic Security Labs has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector. The campaign distributes a previously undocumented Windows remote access trojan called PHANTOMPULSE in targeted attacks. The attacks specifically target individuals in the financial and cryptocurrency sectors. The campaign represents a new technique of leveraging legitimate productivity applications for malware delivery.

Technical details

REF6598 campaign uses social engineering via LinkedIn and Telegram to trick targets into using Obsidian note-taking app to access malicious cloud-hosted vault. Attack abuses Shell Commands and Hider plugins in Obsidian's community plugin ecosystem. On Windows, PowerShell script drops PHANTOMPULL loader which decrypts and launches PHANTOMPULSE RAT in memory. PHANTOMPULSE is AI-generated backdoor using Ethereum blockchain for C2 resolution via hard-coded wallet address transactions. On macOS, obfuscated AppleScript dropper uses domain list with Telegram as fallback C2 resolver. Malware supports commands for shellcode injection, file dropping, screenshots, keylogging, privilege escalation, and system cleanup.

Mitigation steps:

Monitor for suspicious Obsidian vault sharing requests, especially from unknown contacts on LinkedIn/Telegram. Implement parent-process-based detection as execution is handed off by signed Electron application. Be cautious of requests to enable 'Installed community plugins' sync in Obsidian. Monitor for unusual PowerShell script execution and Ethereum blockchain queries for C2 resolution. Implement network monitoring for WinHTTP communications and suspicious AppleScript execution on macOS.

Affected products:

Obsidian note-taking application
Shell Commands plugin
Hider plugin
Windows systems
macOS systems

Related links:

https://www.elastic.co/security-labs/phantom-in-the-vault
https://obsidian.md/help/vault
https://github.com/Taitava/obsidian-shellcommands
https://github.com/kepano/obsidian-hider
https://etherscan.io/tx/0x4ad9923ede3ba2dab91cd37a733c01a08d91caaa4a867b77a3597acb28d40c31
https://etherscan.io/address/0xc117688c530b660e15085bF3A2B664117d8672aA
https://learn.microsoft.com/en-us/windows/win32/com/the-com-elevation-moniker

Related CVE's:

Related threat actors:

IOC's:

0xc117688c530b660e15085bF3A2B664117d8672aA, 0x4ad9923ede3ba2dab91cd37a733c01a08d91caaa4a867b77a3597acb28d40c31, PHANTOMPULSE RAT, PHANTOMPULL loader

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page