New Malware Campaign Abuses Obsidian Vaults to Target Crypto and Finance Professionals
A sophisticated new malware campaign is exploiting the popular note-taking app Obsidian to deliver a powerful remote access trojan called PHANTOMPULSE — and it’s targeting financial and cryptocurrency professionals through a carefully engineered social engineering playbook.
According to research published by Elastic Security Labs, threat actors are posing as a venture capital firm, initiating contact with targets on LinkedIn before migrating conversations to Telegram group chats populated with multiple fake “partners” to manufacture legitimacy.
Victims are then instructed to use Obsidian as the firm’s supposed “management database” and handed credentials to an attacker-controlled cloud vault, disguised as a shared business dashboard.
Once the vault is open, targets are told to enable Obsidian’s community plugin sync — a feature that is off by default and doesn’t propagate automatically between devices. Enabling it is the tripwire that triggers the infection chain.

How the Obsidian Plugin Abuse Works
Elastic’s telemetry first raised alarms when PowerShell processes were observed spawning directly from the legitimate Obsidian binary — ruling out a trojanized executable and pointing investigators toward the app’s plugin architecture as the true attack surface.

Forensic analysis of the synced vault’s .obsidian directory revealed a pre-configured Shell Commands plugin capable of executing arbitrary, platform-specific commands on events such as vault open or app startup. A secondary “Hider” plugin was also included to conceal UI elements and reduce the victim’s suspicion.
Because the malicious logic lives inside JSON configuration files and memory-only loaders rather than standalone executables, traditional signature-based and file-centric defenses are largely bypassed.
PHANTOMPULL and PHANTOMPULSE: The Windows Payload Chain
On Windows, the attack chain begins with a Base64-encoded PowerShell command that downloads a second-stage script from a remote command-and-control (C2) server. That script fetches a loader binary called syncobs.exe, identified as PHANTOMPULL, which reports execution status back to the same C2.
PHANTOMPULL is a 64-bit Windows loader that decrypts an AES-256-CBC encrypted payload embedded in its resources and reflectively loads it in memory, then retrieves the PHANTOMPULSE RAT over HTTPS from its C2 infrastructure.
PHANTOMPULSE itself is a feature-rich remote access trojan that bears the hallmarks of AI-assisted development — unusually verbose, step-labeled debug strings and a polished “Phantom Panel” web interface hosted behind Cloudflare’s network.

To further complicate analysis, the malware employs runtime API hashing, fake integrity checks, dead code, and timer-queue callbacks to stymie reverse engineering and evade sandbox heuristics.
One particularly notable technique: PHANTOMPULSE resolves its live C2 address using Ethereum-compatible Blockscout blockchain explorers, decoding the C2 URL from on-chain transaction input data tied to a hardcoded wallet address. However, because it fails to validate the transaction sender, defenders who know the wallet and XOR encoding scheme could theoretically hijack C2 resolution by publishing their own sinkhole transaction.
macOS Chain and Telegram Dead-Drop Fallback
On macOS, the Shell Commands plugin triggers a Base64-encoded AppleScript payload delivered via osascript. This sets up a persistent LaunchAgent before executing a heavily obfuscated AppleScript dropper.

The dropper constructs all sensitive strings at runtime using decoy variables for obfuscation, and implements a layered C2 discovery strategy: it first tries a list of hardcoded domains, then falls back to scraping a public Telegram channel as a dead-drop resolver if those hosts are unreachable.
Once a C2 is reached, the script posts victim identifiers to the server and pipes the response directly into osascript, creating an in-memory multi-stage execution chain that mirrors the Windows approach in its emphasis on stealth, flexibility, and minimal on-disk artifacts. At the time of analysis, the macOS C2 infrastructure was offline.
Detection and Defensive Recommendations
Elastic Defend successfully blocked the REF6598 intrusion at an early stage by flagging anomalous PowerShell processes spawned from Obsidian, preventing PHANTOMPULSE from fully deploying on the targeted host.
Security teams — particularly those in the financial and cryptocurrency sectors — should treat productivity tools like Obsidian as potential code execution surfaces. Organizations are advised to monitor for unusual child processes spawned from note-taking or productivity applications, enforce strict plugin policies, and train users to be suspicious of requests to open shared vaults or enable community plugin sync from external parties.