Obsidian Plugin Exploited to Deploy PHANTOMPULSE RAT
Original: Obsidian plugin was abused to deploy a remote access trojan
Why This Matters
Novel attack vector exploiting trusted productivity tools with blockchain-based C2 infrastructure
Security researchers discovered campaign REF6598 targeting finance and crypto professionals via malicious Obsidian note-taking app plugins. Attackers use LinkedIn and Telegram to build trust, then trick victims into enabling community plugins that deploy PHANTOMPULSE RAT with Ethereum blockchain C2 infrastructure.
Threat actors conduct sophisticated social engineering campaign posing as venture capitalists on LinkedIn and Telegram to target financial and cryptocurrency professionals. The attack involves sharing malicious Obsidian vault that tricks users into enabling 'Installed community plugins' feature. This activates compromised Shell Commands and Hider plugins that execute PowerShell scripts on Windows or AppleScript on macOS. The PHANTOMPULL loader then deploys PHANTOMPULSE RAT directly into memory. The malware uses novel C2 mechanism by querying Ethereum blockchain transactions from hardcoded wallet address to obtain command server IP, making takedowns difficult. PHANTOMPULSE can capture keystrokes, take screenshots, exfiltrate files and execute commands, potentially compromising sensitive trading data and corporate information.