A new, highly targeted malware campaign is exploiting the Obsidian note-taking app to hack crypto and finance professionals, Elastic Security Labs warned Tuesday. Attackers are using sophisticated social engineering and the app’s community plugin ecosystem to deliver a previously unknown remote access trojan (RAT) called PHANTOMPULSE — a threat tailored to extract value from users in the digital-asset space where on-chain transactions are irreversible.
How the scam works
- Initial approach: Attackers pose as venture capital or industry contacts on LinkedIn to start professional conversations.
- Trust building: Conversations shift to Telegram, where they discuss plausible-sounding topics like crypto liquidity solutions or company dashboards to establish credibility.
- The lure: Targets are invited to access a “company database” or dashboard hosted in a shared Obsidian cloud vault.
- The trigger: When victims open the vault and enable community plugin synchronization, a trojanized plugin silently executes and installs the RAT.
- Cross-platform impact: Variants for both Windows and macOS have been observed, all leading to installation of PHANTOMPULSE.
What makes PHANTOMPULSE dangerous
- Full device control: The RAT gives attackers comprehensive access to infected machines while trying to remain stealthy to evade detection.
- Decentralized command-and-control (C2): Instead of a traditional server, PHANTOMPULSE uses on-chain transactions across three different blockchains to receive instructions. Because blockchain transactions are public and immutable, the malware can reliably locate C2 signals without centralized infrastructure.
- Resiliency: Spreading C2 data across multiple chains lets operators bypass restrictions or takedowns on any single blockchain explorer, making disruption much harder for defenders.
Why crypto professionals are the target
Elastic highlights the obvious incentive: blockchain transactions can’t be reversed. Chainalysis data cited in the report shows wallet compromises resulted in $713 million in stolen funds in 2025, underscoring why attackers focus on people with access to private keys, trading dashboards, and liquidity tools.
Recommendations and takeaways
Elastic recommends organizations in high-risk financial and crypto sectors enforce strict application-level plugin policies so legitimate productivity tools can’t be repurposed into malware delivery channels. Additional practical precautions for users and teams include:
- Avoid opening shared Obsidian vaults or enabling community plugin syncs from unverified sources.
- Limit or centrally manage plugin installation and synchronization in company environments.
- Vet plugins carefully and prefer trusted repositories or signed plugins where possible.
- Harden endpoints with EDR/antivirus tooling and monitor for unusual outbound traffic patterns.
- Follow standard crypto security hygiene: segregate work devices from key-holding devices, use hardware wallets for custody, and minimize exposure of private keys.
This campaign is a reminder that attackers are increasingly combining human-targeted social engineering with creative abuse of legitimate software features to reach high-value crypto targets. Teams handling digital assets should treat plugin ecosystems as a potential attack surface and tighten controls accordingly.
Read more AI-generated news on: undefined/news
