Back

PHANTOMPULSE Malware Campaign Exploits Obsidian for Targeted Attacks

Severity: High (Score: 69.0)

Sources: Bitget, Mexc, Socprime, Cybersecuritynews, www.elastic.co

Summary

A sophisticated social engineering campaign has been uncovered, targeting individuals in the financial and cryptocurrency sectors through the Obsidian note-taking application. The attackers, posing as representatives of a venture capital firm, lure victims into using a compromised cloud vault. Once the vault is accessed, malicious plugins execute a remote access trojan (RAT) named PHANTOMPULSE, which operates on both Windows and macOS systems. This malware employs a decentralized command-and-control mechanism utilizing blockchain technology, making it resilient against takedowns. The campaign has been tracked under the identifier REF6598 and leverages legitimate community plugins to execute malicious code without exploiting software vulnerabilities. Elastic Security Labs detected and blocked the attack at an early stage, but the potential for widespread impact remains significant. The malware's stealth and advanced techniques pose serious risks to targeted sectors. Key Points: • PHANTOMPULSE RAT exploits Obsidian's plugin ecosystem to target crypto and finance professionals. • Attackers use social engineering tactics via Telegram to establish trust before deploying malware. • The malware employs blockchain for decentralized command and control, enhancing its resilience.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Trojan (attack_type)
  • Ref6598 (campaign)
  • Apple (company)
  • SAS Software Company (company)
  • 0x666.info (domain)
  • panel.fefea22134.net (domain)
  • 0x38796B8479fDAE0A72e5E7e326c87a637D0Cbc0E (eth)
  • 0xc117688c530b660e15085bF3A2B664117d8672aA (eth)
  • Finance (industry)
  • Financial (industry)
  • 195.3.222.251 (ipv4)
  • Phantompull (malware)
  • Phantompulse (malware)
  • A6FA4ADFC20E8E6B77E2DD631DC8FF18 (md5)
  • dcf5a9b27cbeedb769ccc8635d204af9 (md5)
  • f77c8e40dfc17be5e74d8679d5b35341 (md5)
  • T1055 - Process Injection (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • App Store (platform)
  • MacOS (platform)
  • Obsidian (platform)
  • Telegram (platform)
  • Windows (platform)
  • AppleScript (tool)
  • BitsTransfer (tool)
  • Obsidian Shell Commands Plugin (tool)
  • PowerShell (tool)
  • Shell Commands Plugin (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed