Security researchers from Elastic Security Labs have uncovered a sophisticated social engineering campaign that exploits the popular Obsidian note-taking app to deploy a previously undocumented remote access trojan (RAT) called PHANTOMPULSE. The malware specifically targets cryptocurrency and finance professionals, using a multi-stage attack that begins on LinkedIn and moves to Telegram.
The scammers pose as venture capital representatives on LinkedIn to initiate contact with potential victims in the digital asset space. After establishing a professional rapport, conversations shift to Telegram, where attackers discuss cryptocurrency liquidity solutions to create a "plausible business context." The target is then invited to access a supposed company database or dashboard hosted on a shared Obsidian cloud vault.
Once the victim opens the vault, they are instructed to enable community plugin synchronization. This action triggers the silent execution of trojanized software, which installs the PHANTOMPULSE malware. The attack employs separate, stealthy execution paths for both Windows and macOS systems, granting attackers full control over the infected device.
A key innovation of this malware is its decentralized command-and-control (C2) system, which leverages three different blockchain networks. PHANTOMPULSE receives instructions by reading on-chain transaction data tied to specific wallets, eliminating the need for a central server. "Because blockchain transactions are immutable and publicly accessible, the malware can always locate its C2 without relying on centralized infrastructure," Elastic noted. This method ensures resilience, as the attack can continue even if one blockchain explorer is blocked.
The campaign highlights a critical vulnerability in trusted productivity tools. By abusing Obsidian's plugin ecosystem, attackers can "skirt traditional security controls entirely." The threat is amplified by the high-value target: according to Chainalysis data, wallet compromises accounted for $713 million in stolen funds in 2025 alone. Security experts recommend that financial firms implement strict application-level policies for plugins and verify communication sources before enabling external software integrations.
