Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance and Crypto Sector Attacks
By Ravie Lakshmanan | April 16, 2026
A novel social engineering campaign has been uncovered that exploits Obsidian, a popular cross-platform note-taking application, as a primary access vector to deliver a previously undocumented Windows remote access trojan (RAT) named PHANTOMPULSE. This sophisticated threat targets individuals primarily within the financial and cryptocurrency industries, raising new concerns about supply chain risks and trusted application abuse.
Overview of the Campaign – Named REF6598
Security researchers from Elastic Security Labs have tracked the adversary group behind this operation under the codename REF6598. Their investigation reveals how attackers use elaborate social engineering tactics conducted via LinkedIn and Telegram to infiltrate both Windows and macOS endpoints.
Initially, threat actors approach prospective victims on LinkedIn, masquerading as representatives of a venture capital firm. Following this, the dialogue transitions to a Telegram group populated with purported business partners discussing financial services and cryptocurrency liquidity solutions. This Telegram group is designed to provide an air of legitimacy to the operation and lower suspicion.
Execution Method Leveraging Obsidian Plugins
Targets are then instructed to open a shared cloud-hosted Obsidian vault—a collaborative dashboard—using credentials supplied by the attackers. The infection sequence begins when victims open this vault within Obsidian and are prompted to enable the “Installed community plugins” sync feature. This crucial step requires the victim’s manual consent as it is disabled by default and cannot be remotely activated by the attacker.
By enabling this sync feature, the attackers exploit Obsidian’s legitimate community plugin ecosystem to execute malicious code. Specifically, they abuse the Shell Commands and Hider plugins:
- Shell Commands plugin allows silent execution of arbitrary commands triggered by configuration files.
- Hider plugin conceals user interface elements such as the status bar, scrollbar, and tooltips, helping to disguise the attack’s activities.
According to researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic, “The attackers rely entirely on Obsidian’s intended functionality as a persistence and command execution channel, making traditional antivirus detections ineffective. Because the payload resides entirely within JSON configuration files, it evades signature-based defenses, and execution is handed off by a signed and trusted Electron application.”
Technical Details of the PHANTOMPULSE RAT
Windows Execution
On Windows machines, the Shell Commands plugin triggers a PowerShell script that deploys an intermediate loader—dubbed PHANTOMPULL. This loader decrypts and launches the PHANTOMPULSE RAT directly in memory, allowing it to operate stealthily without leaving typical artifacts on disk.
PHANTOMPULSE is notable for its use of artificial intelligence (AI) techniques and its innovative command-and-control (C2) infrastructure, which leverages the Ethereum blockchain. The malware extracts its C2 server address by querying the latest transaction associated with a hard-coded Ethereum wallet address. Using WinHTTP for communications, it supports a broad range of remote management features, including:
- Injecting shellcode, DLLs, or executables into processes
- Dropping and executing files on the infected system
- Capturing and uploading screenshots
- Logging keystrokes with start and stop commands
- Uninstalling itself and cleaning up persistence mechanisms
- Escalating privileges to SYSTEM using COM elevation monikers
- Downgrading privileges from SYSTEM to an elevated administrator level when needed
macOS Execution
For macOS targets, the attack utilizes an obfuscated AppleScript dropper delivered via the Shell Commands plugin. This dropper attempts to contact a hard-coded list of domains and falls back to using Telegram as a “dead drop” resolver for C2. This method allows dynamic and stealthy rotation of C2 infrastructure, which thwarts simple domain blocking defenses.
The script’s final stage downloads and executes a secondary payload via the osascript interpreter. While researchers have not been able to fully analyze this payload—owing to currently offline C2 servers—the attempt was ultimately unsuccessful as the attack was detected and blocked before achieving full compromise.
Significance and Security Implications
Elastic Security Labs emphasized the creativity of this threat actor’s approach, highlighting the risks of abusing trusted software features rather than exploiting traditional software vulnerabilities. Abusing Obsidian’s community plugin ecosystem enables attackers to bypass conventional endpoint protections with relative ease, relying on manual social engineering to cross security boundaries.
This campaign demonstrates how criminal groups continue to evolve, targeting high-value sectors like finance and cryptocurrency by combining sophisticated social engineering with innovative technical methods. It underscores the necessity for robust security awareness training, vigilant monitoring of plugin use within enterprise applications, and enhanced detection capabilities that focus on application behavior rather than just signature-based defenses.
Recommendations for Users and Organizations
- Exercise caution when interacting with unsolicited invitations on professional platforms such as LinkedIn.
- Avoid enabling unverified community plugins or synchronization features in trusted productivity applications.
- Deploy endpoint detection solutions that can analyze parent and child process relationships, especially for Electron-based apps.
- Enforce policies restricting the use of third-party plugins in critical business software unless thoroughly vetted.
- Maintain updated incident response procedures to rapidly neutralize threats abusing unconventional attack vectors.
For continuous updates on this and other cybersecurity threats, follow us on Twitter, LinkedIn, and Google News.
The Hacker News – Your #1 Trusted Cybersecurity News Platform