[{"data":1,"prerenderedAt":144},["ShallowReactive",2],{"article-slug-obsidian-plugin-abused-in-campaign-to-deploy-phantom-pulse-rat":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":39,"sources":40,"events":64,"mitre_techniques":65,"mitre_mitigations":87,"d3fend_countermeasures":111,"iocs":112,"cyber_observables":113,"tags":130,"extract_datetime":135,"article_type":136,"impact_scope":137,"pub_date":44,"reading_time_minutes":143,"createdAt":135,"updatedAt":135},"60d8cd91-252c-467e-9805-758cf2b1856b","obsidian-plugin-abused-in-campaign-to-deploy-phantom-pulse-rat","Obsidian Plugin Abused in Social Engineering Campaign to Deliver New PHANTOMPULSE RAT","Novel Campaign Abuses Obsidian Note-Taking App to Target Finance and Crypto Professionals with PHANTOMPULSE RAT","A sophisticated social engineering campaign, dubbed REF6598, is targeting finance and cryptocurrency professionals by abusing the popular note-taking app, Obsidian. Attackers lure victims into a shared cloud vault and trick them into enabling a malicious community plugin. This action executes a payload that deploys a new, cross-platform Remote Access Trojan (RAT) called PHANTOMPULSE. The malware uses the Ethereum blockchain for a resilient C2 infrastructure, highlighting a novel evolution in threat actor TTPs.","## Executive Summary\nSecurity researchers have identified a highly targeted social engineering campaign (REF6598) that weaponizes the **[Obsidian](https://obsidian.md/)** note-taking application to deliver a previously undocumented Remote Access Trojan (RAT) named **PHANTOMPULSE**. The campaign targets individuals in the financial and cryptocurrency sectors on both Windows and macOS. Attackers use platforms like LinkedIn and Telegram to build trust before luring victims into a malicious shared Obsidian vault. The attack chain relies on tricking the user into enabling a community plugin, which then executes code to deploy the RAT. **PHANTOMPULSE** demonstrates advanced capabilities, including using the Ethereum blockchain to dynamically resolve its command-and-control (C2) server address, making it highly resilient to takedowns.\n\n---\n\n## Threat Overview\nThe attack, designated REF6598, is a multi-stage social engineering effort. Threat actors pose as venture capitalists and engage with targets on professional networking sites before moving the conversation to a private Telegram group. The primary lure is an invitation to collaborate via a shared, cloud-hosted **[Obsidian](https://obsidian.md/)** vault.\n\nOnce the victim opens the shared vault, the infection is triggered by social engineering. The victim is prompted to enable the \"Installed community plugins\" synchronization feature. This seemingly innocuous action, which requires manual user approval, is the key to the compromise. It enables malicious versions of legitimate **[Obsidian](https://obsidian.md/)** plugins ('Shell Commands' and 'Hider') that are present in the shared vault.\n\n## Technical Analysis\nThe attack chain differs slightly between Windows and macOS but follows the same general principle:\n\n1.  **Initial Access ([`T1566.002`](https://attack.mitre.org/techniques/T1566/002/)):** The attacker uses social engineering on LinkedIn/Telegram to convince the target to open a malicious shared **[Obsidian](https://obsidian.md/)** vault.\n2.  **Execution ([`T1204.002`](https://attack.mitre.org/techniques/T1204/002/)):** The user is manipulated into enabling community plugins within Obsidian. This action executes a malicious script via the compromised 'Shell Commands' plugin.\n3.  **Staging:** On Windows, a PowerShell script is executed. This script drops a loader known as **PHANTOMPULL**. On macOS, a similar process occurs using AppleScript.\n4.  **Payload Delivery:** The **PHANTOMPULL** loader decrypts and launches the final payload, the **PHANTOMPULSE** RAT, directly into memory to evade file-based detection ([`T1055`](https://attack.mitre.org/techniques/T1055/)).\n5.  **Command and Control ([`T1102.002`](https://attack.mitre.org/techniques/T1102/002/)):** **PHANTOMPULSE** uses a novel C2 mechanism. It queries the Ethereum blockchain for the latest transaction from a hard-coded wallet address. The C2 server's IP address is embedded within this transaction data, providing a decentralized and censorship-resistant way for the malware to receive instructions.\n\nOnce active, **PHANTOMPULSE** can capture keystrokes, take screenshots, exfiltrate files, and execute arbitrary commands.\n\n## Impact Assessment\nA successful compromise gives the attacker full access to the victim's machine. For professionals in finance and crypto, this could lead to the theft of sensitive corporate data, intellectual property, trading strategies, and, most critically, cryptocurrency wallet keys and exchange credentials. The cross-platform nature of the attack broadens its potential victim pool. The use of a blockchain-based C2 demonstrates a high level of sophistication, making the threat infrastructure difficult to disrupt.\n\n## Cyber Observables for Detection\n| Type | Value | Description |\n|---|---|---|\n| process_name | `Obsidian.exe` | Monitor for Obsidian spawning child processes like `powershell.exe`, `cmd.exe`, or `osascript`. |\n| command_line_pattern | `powershell -ExecutionPolicy Bypass` | Suspicious PowerShell execution, especially when initiated by a non-standard application like Obsidian. |\n| network_traffic_pattern | Outbound connections to Ethereum blockchain nodes or gateways from unexpected processes. | Could indicate PHANTOMPULSE attempting to resolve its C2 address. |\n| file_path | `[Vault]/.obsidian/plugins/` | Monitor for the creation or modification of files within the Obsidian plugins directory, especially outside of the official plugin marketplace. |\n\n## Detection & Response\n1.  **Process Monitoring (D3-PA: Process Analysis):** Implement EDR rules to detect and alert when the **[Obsidian](https://obsidian.md/)** process spawns command-line interpreters (`powershell.exe`, `cmd.exe`, `bash`, `osascript`). This is highly anomalous behavior.\n2.  **User Training:** Educate users, especially those in high-risk industries, about the dangers of social engineering and the specific tactic of abusing collaboration tool features like shared vaults and plugins.\n3.  **Application Control (D3-EAL: Executable Allowlisting):** Where possible, use application control policies to restrict the installation and execution of unapproved community plugins in applications like Obsidian.\n4.  **Network Monitoring (D3-NTA: Network Traffic Analysis):** Monitor for unusual DNS queries or direct IP connections related to blockchain services from endpoints where such activity is not expected.\n\n## Mitigation\n1.  **Vet Community Plugins:** Be extremely cautious when enabling third-party or community-developed plugins in any application. Only install plugins from the official, trusted marketplace and review their permissions.\n2.  **Disable Auto-Sync for Untrusted Vaults:** Do not enable plugin synchronization when connecting to an **[Obsidian](https://obsidian.md/)** vault from an unknown or untrusted source.\n3.  **Principle of Least Privilege:** Run applications like **[Obsidian](https://obsidian.md/)** as a standard user, not with administrative privileges, to limit the potential impact of a compromise.\n4.  **Endpoint Security:** Ensure up-to-date EDR and antivirus solutions are deployed to detect and block suspicious script execution and process injection techniques.","New campaign REF6598 targets finance & crypto pros using the Obsidian app! ⚠️ Attackers use malicious community plugins to deploy PHANTOMPULSE, a new RAT that uses the Ethereum blockchain for C2. ⛓️ #Malware #Obsidian #Crypto #CyberSecurity","A sophisticated campaign is abusing the Obsidian note-taking app to deliver a new RAT, PHANTOMPULSE, to targets in the finance and crypto sectors using social engineering and malicious plugins.",[13,14,15],"Malware","Threat Actor","Phishing","high",[18,21,24,26,30,34,37],{"name":19,"type":20},"REF6598","threat_actor",{"name":22,"type":23},"PHANTOMPULSE","malware",{"name":25,"type":23},"PHANTOMPULL",{"name":27,"type":28,"url":29},"Obsidian","product","https://obsidian.md/",{"name":31,"type":32,"url":33},"PowerShell","technology","https://attack.mitre.org/techniques/T1059/001/",{"name":35,"type":36},"LinkedIn","company",{"name":38,"type":28},"Telegram",[],[41,47,53,59],{"url":42,"title":43,"date":44,"friendly_name":45,"website":46},"https://thehackernews.com/2026/04/obsidian-plugin-abuse-delivers.html","Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks","2026-04-16","The Hacker News","thehackernews.com",{"url":48,"title":49,"date":50,"friendly_name":51,"website":52},"https://www.cryptopolitan.com/new-malware-scam-targets-crypto-users/","New malware scam targets crypto users through Obsidian notes app","2026-04-15","Cryptopolitan","cryptopolitan.com",{"url":54,"title":55,"date":56,"friendly_name":57,"website":58},"https://socprime.com/blog/phantom-in-the-vault-obsidian-abused-to-deliver-phantom-pulse-rat-by-elastic/","Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT","2026-04-14","SOC Prime","socprime.com",{"url":60,"title":61,"date":56,"friendly_name":62,"website":63},"https://exchange.xforce.ibmcloud.com/collection/Phantom-in-the-vault-Obsidian-abused-to-deliver-PhantomPulse-RAT-a6b1c4b7-f41e-4c17-9b2f-7c73a1d9c7e0","Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT - Osint Advisory","IBM X-Force Exchange","exchange.xforce.ibmcloud.com",[],[66,70,74,76,80,84],{"id":67,"name":68,"tactic":69},"T1566.002","Spearphishing Link","Initial Access",{"id":71,"name":72,"tactic":73},"T1204.002","Malicious File","Execution",{"id":75,"name":31,"tactic":73},"T1059.001",{"id":77,"name":78,"tactic":79},"T1102.002","Bidirectional Communication","Command and Control",{"id":81,"name":82,"tactic":83},"T1055","Process Injection","Defense Evasion",{"id":85,"name":86,"tactic":83},"T1112","Modify Registry",[88,93,102],{"id":89,"name":90,"description":91,"domain":92},"M1017","User Training","Training users to recognize social engineering tactics and be suspicious of unsolicited collaboration requests is the primary defense against this attack vector.","enterprise",{"id":94,"name":95,"d3fend_techniques":96,"description":101,"domain":92},"M1038","Execution Prevention",[97],{"id":98,"name":99,"url":100},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting","Using application control to prevent applications like Obsidian from executing scripts (e.g., PowerShell) can break the attack chain.",{"id":103,"name":104,"d3fend_techniques":105,"description":110,"domain":92},"M1054","Software Configuration",[106],{"id":107,"name":108,"url":109},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening","Configuring applications to disable or require strict approval for installing third-party plugins reduces the attack surface.",[],[],[114,119,124],{"type":115,"value":116,"description":117,"context":118,"confidence":16},"process_name","Obsidian.exe","Monitor for the Obsidian process spawning command-line interpreters like powershell.exe or cmd.exe, which is anomalous behavior.","EDR logs, Windows Event ID 4688.",{"type":120,"value":121,"description":122,"context":123,"confidence":16},"file_path",".obsidian/plugins/","The directory where Obsidian community plugins are stored. Unauthorized modification or creation of files here is a key indicator.","File Integrity Monitoring (FIM).",{"type":125,"value":126,"description":127,"context":128,"confidence":129},"network_traffic_pattern","api.etherscan.io","The malware may connect to Ethereum blockchain explorers to resolve its C2 address. Such connections from unexpected applications are suspicious.","DNS logs, web proxy logs, Netflow.","medium",[13,131,22,27,132,133,134,19],"RAT","Social Engineering","Cryptocurrency","Finance","2026-04-16T15:00:00.000Z","Analysis",{"geographic_scope":138,"industries_affected":139,"other_affected":141},"global",[134,140],"Technology",[142],"Cryptocurrency professionals",5,1776358275333]