Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance and Cryptocurrency Attacks
April 16, 2026 — by Ravie Lakshmanan
A newly uncovered cyber threat campaign is exploiting Obsidian, a popular cross-platform note-taking application, as a novel initial access vector to distribute a previously undocumented Windows remote access trojan (RAT) named PHANTOMPULSE. The attacks specifically target individuals working within the financial and cryptocurrency sectors using sophisticated social engineering tactics.
The REF6598 Campaign: Social Engineering Through LinkedIn and Telegram
Elastic Security Labs, which has designated this activity as REF6598, reports that threat actors initiate contact on the professional social network LinkedIn posing as representatives of a venture capital firm. After establishing communication, they steer victims to a Telegram group chat that includes several purported partners. This Telegram environment is carefully fashioned to appear credible, with discussions revolving around financial services and cryptocurrency liquidity solutions.
In a critical step of the attack, targets are asked to use Obsidian to open what seems to be a shared dashboard by connecting to a cloud-hosted vault using credentials supplied by the attackers. However, it is this very vault that triggers the infection sequence.
Exploiting Obsidian’s Community Plugin Ecosystem
When victims open the malicious vault in Obsidian, they are prompted to enable synchronization of “Installed community plugins,” a feature that is off by default and must be manually activated. Enabling this option allows the execution of malicious code embedded within the vault’s configuration.
Researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic explain that the threat actors abuse legitimate Obsidian plugins—specifically the Shell Commands and Hider plugins—to execute arbitrary code silently. The Shell Commands plugin facilitates the execution of system commands, while the Hider plugin hides Obsidian user interface elements such as the status bar and tooltips to conceal the attack’s traces.
The malware configuration resides entirely in JSON files, making it difficult for traditional antivirus solutions to detect. Moreover, code execution is handed off by Obsidian’s signed, trusted Electron framework, making detection by monitoring parent processes crucial.
PHANTOMPULSE on Windows and macOS: Dual Execution Paths
On Windows, once the victim enables community plugin sync, shell commands trigger a PowerShell script that deploys an intermediate loader named PHANTOMPULL. This loader decrypts and executes PHANTOMPULSE entirely in memory, avoiding detection mechanisms based on files on disk.
PHANTOMPULSE functions as an AI-generated backdoor that uses the Ethereum blockchain in a unique command-and-control (C2) methodology. The malware determines its C2 server address by fetching the latest blockchain transaction tied to a hardcoded Ethereum wallet address. Communication with the C2 server occurs via WinHTTP, enabling a range of remote capabilities including:
- Injecting shellcode, DLLs, or executable files into processes
- Dropping and executing files
- Capturing and uploading screenshots
- Logging keystrokes
- Uninstalling itself and removing persistence
- Escalating privileges to SYSTEM or admin levels through COM elevation monikers
On macOS, the infection vector leverages the Shell Commands plugin to deliver an obfuscated AppleScript dropper. This dropper attempts to contact a list of hardcoded domains and uses Telegram as a fallback communication channel to dynamically resolve its C2 infrastructure. This method allows attackers to rotate their C2 servers easily, hampering domain-based blocking efforts.
Subsequently, a second-stage payload is downloaded and executed via the macOS scripting engine (osascript). While the specifics of this payload remain unknown due to the temporary offline status of the C2 servers, the attack was ultimately detected and stopped before any further compromise.
Conclusions and Implications
REF6598 exemplifies how threat actors are innovating access methods by abusing trusted applications’ legitimate features rather than relying on software vulnerabilities. By manipulating Obsidian’s community plugin system, attackers bypass traditional security controls and execute harmful payloads seamlessly under the cover of normal application behavior.
Elastic Security Labs emphasized the sophistication of the campaign: “The attackers rely on social engineering to persuade victims to enable community plugin sync, but once crossed, this boundary allows for persistent and stealthy command execution originating from a trusted, signed application.”
The attack highlights the pressing need for vigilance regarding social engineering threats and the risks associated with enabling third-party plugins in trusted software environments, particularly where sensitive financial or cryptocurrency data is involved.
Stay informed on the latest cybersecurity threats and defenses by following us on Google News, Twitter, and LinkedIn.
For additional insights and expert discussions on advanced persistent threats and application security, subscribe to our newsletter or attend upcoming webinars hosted by leading industry professionals.