PHANTOMPULSE RAT Spreads via Malicious Obsidian Vaults
Threat actors pose as VCs on LinkedIn, share weaponized Obsidian vaults that silently deploy an AI-generated backdoor using blockchain C2 infrastructure.
Elastic Security Labs uncovered a social engineering campaign targeting cryptocurrency and financial sector professionals. Attackers pose as venture capitalists on LinkedIn, lure targets into Telegram discussions, then deploy a previously undocumented Windows RAT called PHANTOMPULSE through weaponized Obsidian vaults.
The campaign, tracked as REF6598, represents a creative abuse of legitimate software rather than traditional vulnerability exploitation.
How the Attack Works
The infection chain starts with social engineering. Threat actors create convincing VC firm personas on LinkedIn and approach targets with investment discussions. Once rapport is established, conversations move to Telegram groups where multiple "partners" engage the victim about cryptocurrency liquidity solutions.
Eventually, targets receive credentials to access a cloud-hosted Obsidian vault supposedly containing deal materials. Opening the vault triggers infection.
According to Elastic's research, the attackers abuse legitimate Obsidian community plugins—specifically Shell Commands and Hider—to execute code when victims open the shared vault. Shell Commands runs arbitrary code, while Hider conceals UI elements that might alert users to malicious activity.
There's a catch: community plugin sync must be manually enabled by the victim. The social engineering apparently convinces targets to do this as part of accessing the "deal materials."
PHANTOMPULSE Capabilities
The backdoor demonstrates sophisticated design. The Hacker News reports that PHANTOMPULSE was generated using AI assistance—a troubling indicator of how generative AI accelerates malware development.
Core capabilities include:
| Command | Function |
|---|---|
| inject | Shellcode, DLL, or EXE injection into target processes |
| drop | File deployment and execution |
| screenshot | Screen capture and upload |
| keylog | Keystroke logging (start/stop) |
| elevate | Privilege escalation to SYSTEM |
| uninstall | Removal and cleanup |
The malware resolves its command-and-control server through the Ethereum blockchain, fetching the latest transaction from a hardcoded wallet address. This technique defeats traditional domain blocking—you can't takedown an Ethereum address the way you can seize a malicious domain.
We covered similar blockchain C2 innovation with Omnistealer and the UNC5342 EtherHiding campaign recently. Threat actors increasingly recognize blockchain as censorship-resistant infrastructure.
Cross-Platform Delivery
The campaign targets both Windows and macOS:
Windows infection chain:
- Shell Commands plugin invokes PowerShell script
- Script drops PHANTOMPULL (intermediate loader)
- Loader decrypts and launches PHANTOMPULSE entirely in memory
macOS variant:
- Obfuscated AppleScript dropper iterates hardcoded domains
- Telegram serves as fallback C2 resolver
- Secondary payload downloaded via osascript
The memory-only execution and parent process (signed Electron application Obsidian) makes detection challenging. Payloads reside in JSON configuration files that unlikely trigger traditional antivirus signatures.
Why Financial Sector Targeting
Cryptocurrency professionals handle wallet credentials, exchange access, and transaction authority. Compromising their workstations provides direct financial returns—attackers can drain wallets, redirect transactions, or access exchange APIs with elevated privileges. The Grinex exchange hack we covered this week shows what happens when threat actors gain this level of access.
The VC impersonation angle is clever. Crypto founders and financial professionals expect investment discussions. They're predisposed to engage with potential investors and may lower their guard when discussing deals they genuinely want to close.
This parallels social engineering tactics we've documented before, but the Obsidian abuse represents genuine innovation. Using a legitimate productivity application as the infection vector bypasses security tools focused on traditional malware delivery (email attachments, drive-by downloads, suspicious executables).
Detection and Mitigation
Elastic Security Labs provides detection rules in their report. Organizations should:
- Audit Obsidian installations for unfamiliar community plugins
- Block the known C2 wallet if your security stack supports blockchain monitoring
- Warn high-value employees about unsolicited LinkedIn investment approaches
- Monitor for PowerShell execution spawned from Obsidian processes
- Review outbound connections to Ethereum RPC endpoints
The campaign demonstrates how attackers continue finding creative initial access vectors by abusing trusted applications and employing targeted social engineering. Traditional perimeter defenses don't help when the payload arrives through a note-taking app the user deliberately installed.
For cryptocurrency professionals specifically: investment opportunities that require installing plugins or enabling sync features should raise immediate suspicion. Legitimate VCs don't need you to modify your local software to review deal terms.
Related Articles
ClickFix Campaign Deploys MIMICRAT Through Compromised BIN Sites
Elastic Security Labs uncovers ClickFix campaign abusing compromised bincheck.io to deliver MIMICRAT, a custom C++ RAT with SOCKS5 tunneling and token impersonation capabilities.
Feb 21, 2026Injective Labs npm Packages Backdoored to Steal Crypto Wallets
Hackers compromised Injective Labs' GitHub repo to push malicious npm packages that steal cryptocurrency wallet keys. 18 packages affected, detected within an hour.
Jul 13, 2026RedHook Android RAT Weaponizes Wireless ADB for Shell Access
Group-IB reveals RedHook banking trojan now exploits Android's Wireless Debugging to gain shell privileges without rooting. Active in Southeast Asia with 53 remote commands.
Jul 12, 2026ChocoPoC RAT Targets Researchers via Fake Exploit Repos
Malicious Python PoC repositories on GitHub deliver ChocoPoC RAT to security researchers. The trojan steals credentials and provides remote access via Mapbox dead drops.
Jul 8, 2026