A newly identified cyber campaign has revealed how attackers are exploiting trusted software tools to infiltrate high-value targets. Security researchers have uncovered a sophisticated operation that abuses the popular note-taking application Obsidian to distribute a previously unknown remote access trojan called PHANTOMPULSE RAT.
The attacks are primarily aimed at individuals working in financial services and cryptocurrency sectors, where access to sensitive assets makes them attractive targets.
Social Engineering Through Professional Platforms
The campaign, tracked as REF6598 by Elastic Security Labs, relies heavily on advanced social engineering techniques.
Attackers begin by contacting victims through LinkedIn, posing as representatives of a venture capital firm. Once initial trust is established, conversations are moved to Telegram, where victims are introduced to a group chat filled with fake partners discussing cryptocurrency liquidity and financial strategies.
This staged environment is carefully crafted to appear legitimate and convincing.
Infection Through Obsidian Vault Manipulation
The attack progresses when the victim is instructed to access a shared dashboard using Obsidian by connecting to a cloud-hosted vault.
The compromise occurs when:
- The victim opens the shared vault
- They are persuaded to enable “community plugin sync”
- Malicious plugins execute hidden commands in the background
Attackers exploit legitimate plugins such as:
- Shell Commands plugin to execute system-level commands
- Hider plugin to conceal visual indicators like toolbars and status elements
This approach avoids traditional detection methods because the malicious activity is embedded within legitimate configuration files.
Why This Technique Is Dangerous
Unlike conventional malware delivery, this method does not rely on software vulnerabilities. Instead, it abuses intended application features, making detection significantly harder.
Key factors that increase the threat level:
- Execution occurs through a trusted, signed application
- Malicious payloads are stored inside JSON configuration files
- Traditional antivirus tools struggle to identify the behavior
- Detection depends heavily on monitoring parent processes
Windows Infection Chain
On Windows systems, the attack triggers a multi-stage payload:
- A PowerShell script launches an intermediate loader named PHANTOMPULL
- The loader decrypts and executes PHANTOMPULSE RAT directly in memory
The malware then establishes persistence and begins communication with its command infrastructure.
Blockchain-Based Command and Control
A unique aspect of PHANTOMPULSE is its use of Ethereum blockchain technology to locate its command-and-control server.
Instead of relying on static domains, the malware:
- Retrieves transaction data from a hardcoded wallet address
- Extracts the latest C2 server information
- Communicates using WinHTTP
This technique allows attackers to dynamically update their infrastructure and evade traditional domain-based blocking.
Capabilities of PHANTOMPULSE RAT
Once deployed, the malware provides attackers with extensive remote control, including:
- Injecting malicious code into processes
- Dropping and executing files
- Capturing screenshots
- Logging keystrokes
- Uploading sensitive data
- Escalating privileges to SYSTEM level
These capabilities make it a powerful tool for espionage and financial data theft.
macOS Attack Variant
On macOS systems, the attack uses a different approach:
- An obfuscated AppleScript dropper is executed
- It cycles through predefined domains to locate the C2 server
- Telegram is used as a fallback mechanism
The script then downloads a second-stage payload using native tools. However, researchers were unable to fully analyze this payload due to inactive servers at the time of investigation.
Attack Outcome and Key Takeaways
Despite the sophistication of the campaign, the intrusion attempt was ultimately unsuccessful, as it was detected and blocked before significant damage occurred.
This campaign highlights a growing trend in cybersecurity:
- Attackers are shifting toward abusing trusted applications instead of exploiting vulnerabilities
- Social engineering remains a critical entry point
- Legitimate software ecosystems can become powerful attack vectors
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
