PHANTOMPULSE RAT Spreads via Malicious Obsidian Vaults

Elastic Security Labs uncovered a social engineering campaign targeting cryptocurrency and financial sector professionals. Attackers pose as venture capitalists on LinkedIn, lure targets into Telegram discussions, then deploy a previously undocumented Windows RAT called PHANTOMPULSE through weaponized Obsidian vaults.

The campaign, tracked as REF6598, represents a creative abuse of legitimate software rather than traditional vulnerability exploitation.

How the Attack Works

The infection chain starts with social engineering. Threat actors create convincing VC firm personas on LinkedIn and approach targets with investment discussions. Once rapport is established, conversations move to Telegram groups where multiple "partners" engage the victim about cryptocurrency liquidity solutions.

Eventually, targets receive credentials to access a cloud-hosted Obsidian vault supposedly containing deal materials. Opening the vault triggers infection.

According to Elastic's research, the attackers abuse legitimate Obsidian community plugins—specifically Shell Commands and Hider—to execute code when victims open the shared vault. Shell Commands runs arbitrary code, while Hider conceals UI elements that might alert users to malicious activity.

There's a catch: community plugin sync must be manually enabled by the victim. The social engineering apparently convinces targets to do this as part of accessing the "deal materials."

PHANTOMPULSE Capabilities

The backdoor demonstrates sophisticated design. The Hacker News reports that PHANTOMPULSE was generated using AI assistance—a troubling indicator of how generative AI accelerates malware development.

Core capabilities include:

Command	Function
inject	Shellcode, DLL, or EXE injection into target processes
drop	File deployment and execution
screenshot	Screen capture and upload
keylog	Keystroke logging (start/stop)
elevate	Privilege escalation to SYSTEM
uninstall	Removal and cleanup

The malware resolves its command-and-control server through the Ethereum blockchain, fetching the latest transaction from a hardcoded wallet address. This technique defeats traditional domain blocking—you can't takedown an Ethereum address the way you can seize a malicious domain.

We covered similar blockchain C2 innovation with Omnistealer and the UNC5342 EtherHiding campaign recently. Threat actors increasingly recognize blockchain as censorship-resistant infrastructure.

Cross-Platform Delivery

The campaign targets both Windows and macOS:

Windows infection chain:

1. Shell Commands plugin invokes PowerShell script
2. Script drops PHANTOMPULL (intermediate loader)
3. Loader decrypts and launches PHANTOMPULSE entirely in memory

macOS variant:

• Obfuscated AppleScript dropper iterates hardcoded domains
• Telegram serves as fallback C2 resolver
• Secondary payload downloaded via osascript

The memory-only execution and parent process (signed Electron application Obsidian) makes detection challenging. Payloads reside in JSON configuration files that unlikely trigger traditional antivirus signatures.

Why Financial Sector Targeting

Cryptocurrency professionals handle wallet credentials, exchange access, and transaction authority. Compromising their workstations provides direct financial returns—attackers can drain wallets, redirect transactions, or access exchange APIs with elevated privileges. The Grinex exchange hack we covered this week shows what happens when threat actors gain this level of access.

The VC impersonation angle is clever. Crypto founders and financial professionals expect investment discussions. They're predisposed to engage with potential investors and may lower their guard when discussing deals they genuinely want to close.

This parallels social engineering tactics we've documented before, but the Obsidian abuse represents genuine innovation. Using a legitimate productivity application as the infection vector bypasses security tools focused on traditional malware delivery (email attachments, drive-by downloads, suspicious executables).

Detection and Mitigation

Elastic Security Labs provides detection rules in their report. Organizations should:

1. Audit Obsidian installations for unfamiliar community plugins
2. Block the known C2 wallet if your security stack supports blockchain monitoring
3. Warn high-value employees about unsolicited LinkedIn investment approaches
4. Monitor for PowerShell execution spawned from Obsidian processes
5. Review outbound connections to Ethereum RPC endpoints

The campaign demonstrates how attackers continue finding creative initial access vectors by abusing trusted applications and employing targeted social engineering. Traditional perimeter defenses don't help when the payload arrives through a note-taking app the user deliberately installed.

For cryptocurrency professionals specifically: investment opportunities that require installing plugins or enabling sync features should raise immediate suspicion. Legitimate VCs don't need you to modify your local software to review deal terms.