Skip to content
Tech News
← Back to articles

Obsidian plugin was abused to deploy a remote access trojan

2026-05-10 | original
read original get Cybersecurity Awareness Poster → more articles
Why This Matters

This attack highlights the evolving threat landscape where legitimate productivity tools like Obsidian are exploited to deliver sophisticated malware such as the PHANTOMPULSE RAT. It underscores the importance for both consumers and the tech industry to enhance security awareness and implement stricter controls over third-party plugins to prevent such social engineering attacks. As cybercriminals leverage trusted platforms and blockchain technology for resilience, proactive security measures are more critical than ever.

Key Takeaways

Executive Summary

Security researchers have identified a highly targeted social engineering campaign (REF6598) that weaponizes the Obsidian note-taking application to deliver a previously undocumented Remote Access Trojan (RAT) named PHANTOMPULSE. The campaign targets individuals in the financial and cryptocurrency sectors on both Windows and macOS. Attackers use platforms like LinkedIn and Telegram to build trust before luring victims into a malicious shared Obsidian vault. The attack chain relies on tricking the user into enabling a community plugin, which then executes code to deploy the RAT. PHANTOMPULSE demonstrates advanced capabilities, including using the Ethereum blockchain to dynamically resolve its command-and-control (C2) server address, making it highly resilient to takedowns.

Threat Overview

The attack, designated REF6598, is a multi-stage social engineering effort. Threat actors pose as venture capitalists and engage with targets on professional networking sites before moving the conversation to a private Telegram group. The primary lure is an invitation to collaborate via a shared, cloud-hosted Obsidian vault.

Once the victim opens the shared vault, the infection is triggered by social engineering. The victim is prompted to enable the "Installed community plugins" synchronization feature. This seemingly innocuous action, which requires manual user approval, is the key to the compromise. It enables malicious versions of legitimate Obsidian plugins ('Shell Commands' and 'Hider') that are present in the shared vault.

Technical Analysis

The attack chain differs slightly between Windows and macOS but follows the same general principle:

Initial Access ( T1566.002 ): The attacker uses social engineering on LinkedIn/Telegram to convince the target to open a malicious shared Obsidian vault. Execution ( T1204.002 ): The user is manipulated into enabling community plugins within Obsidian. This action executes a malicious script via the compromised 'Shell Commands' plugin. Staging: On Windows, a PowerShell script is executed. This script drops a loader known as PHANTOMPULL. On macOS, a similar process occurs using AppleScript. Payload Delivery: The PHANTOMPULL loader decrypts and launches the final payload, the PHANTOMPULSE RAT, directly into memory to evade file-based detection ( T1055 ). Command and Control ( T1102.002 ): PHANTOMPULSE uses a novel C2 mechanism. It queries the Ethereum blockchain for the latest transaction from a hard-coded wallet address. The C2 server's IP address is embedded within this transaction data, providing a decentralized and censorship-resistant way for the malware to receive instructions.

Once active, PHANTOMPULSE can capture keystrokes, take screenshots, exfiltrate files, and execute arbitrary commands.

Impact Assessment

... continue reading

Explore topics: obsidian phantompulse remote access trojan ethereum blockchain social engineering
Related:
The Future of Obsidian Plugins
Crypto gang member gets 6.5 years for role in $230 million heist
How the Story of a USB Penetration Test Went Viral
Trojan abuses Microsoft Phone Link app to steal your passwords
UNC6692 Combines Social Engineering, Malware, Cloud Abuse

© 2026 GoKawiil

About | Editorial Policy | Contact