Attackers used Obsidian, a cross-platform note-taking app, to deliver a previously undocumented Windows remote access trojan called PHANTOMPULSE in a social engineering campaign aimed at people in the financial and cryptocurrency sectors, according to a technical analysis from Elastic Security Labs.
KEY FACTS
- Initial access Targets were approached on LinkedIn and Telegram and told to open a shared Obsidian vault.
- Execution path The campaign relied on community plugins, including Shell Commands and Hider, to run code when the vault was opened.
- Payload On Windows, the chain dropped PHANTOMPULL, which decrypted and launched PHANTOMPULSE in memory.
- Reach The activity affected both Windows and macOS systems, but the intrusion was blocked before it succeeded.
The report said the operation used a fake venture capital theme and moved conversations into a Telegram group that included purported partners discussing finance and cryptocurrency liquidity. Victims were then instructed to connect Obsidian to a cloud-hosted vault using credentials provided by the operators.
Opening the vault triggered the infection chain if the user enabled installed community plugin sync, a setting that is off by default. The malicious configuration used the Shell Commands plugin to execute commands and the Hider plugin to conceal parts of the interface.
On Windows, the commands launched a PowerShell script that dropped PHANTOMPULL and then loaded PHANTOMPULSE into memory. The backdoor used the Ethereum blockchain to locate its command and control server by checking a transaction tied to a hard-coded wallet address, then communicated over WinHTTP to send telemetry, receive commands, upload files or screenshots, and capture keystrokes.
The malware supported commands for process injection, file dropping, screenshots, keylogging, privilege escalation to SYSTEM, and cleanup. On macOS, the same plugin path delivered an obfuscated AppleScript dropper that used Telegram as a fallback resolver for command and control, while the final payload remained unknown because the servers were offline.
WHY IT MATTERS
The campaign shows how trusted software features can be turned into delivery channels without exploiting a code flaw. It also highlights the limits of traditional antivirus and domain blocking when malicious activity is embedded in legitimate configuration files and routed through a signed application.