PHANTOMPULSE Malware Campaign Exploits Obsidian for Targeted Attacks

PHANTOMPULSE Malware Campaign Exploits Obsidian for Targeted Attacks

First seen 14 Apr 2026, 17:00 UTC GbhackersCybersecuritynewsSocprimeBitgetMexc+4 82% similarity 69.0

Article Content

Browse articles
ThreatCluster

A sophisticated social engineering campaign has been uncovered, targeting individuals in the financial and cryptocurrency sectors through the Obsidian note-taking application. The attackers, posing as representatives of a venture capital firm, lure victims into using a compromised cloud vault. Once the vault is accessed, malicious plugins execute a remote access trojan (RAT) named PHANTOMPULSE, which operates on both Windows and macOS systems. This malware employs a decentralized command-and-control mechanism utilizing blockchain technology, making it resilient against takedowns. The campaign has been tracked under the identifier REF6598 and leverages legitimate community plugins to execute malicious code without exploiting software vulnerabilities. Elastic Security Labs detected and blocked the attack at an early stage, but the potential for widespread impact remains significant. The malware's stealth and advanced techniques pose serious risks to targeted sectors.

Key Points: • PHANTOMPULSE RAT exploits Obsidian's plugin ecosystem to target crypto and finance professionals. • Attackers use social engineering tactics via Telegram to establish trust before deploying malware. • The malware employs blockchain for decentralized command and control, enhancing its resilience.

ThreatCluster AI

Timeline

2026-04-14
Elastic Security Labs uncovers the PHANTOMPULSE campaign.
2026-04-15
Reports published detailing the attack methods and impact.

Community

Browse all →