Security researchers have identified a sophisticated social engineering campaign targeting financial professionals that uses malicious Obsidian note-taking application plugins to deploy the resilient PHANTOMPULSE Remote Access Trojan.

Key Points

• Attackers use LinkedIn and Telegram to lure victims into opening malicious shared Obsidian vaults.
• The campaign exploits the "community plugins" feature to execute unauthorized code on Windows and macOS systems.
• PHANTOMPULSE uses the Ethereum blockchain to dynamically resolve its command-and-control server address, complicating takedown efforts.
• Once installed, the malware can capture keystrokes, take screenshots, and exfiltrate sensitive cryptocurrency credentials or corporate data.
• Security teams are advised to monitor Obsidian for anomalous child processes like PowerShell or AppleScript.

Why it Matters

This campaign highlights a growing trend of attackers weaponizing legitimate productivity software to bypass traditional security perimeters. The use of blockchain-based infrastructure makes this malware particularly difficult to disrupt, posing a significant risk to high-value targets in the financial and cryptocurrency sectors.