Elastic Security Labs has uncovered a novel social engineering campaign, tracked as REF6598, targeting the financial and cryptocurrency sectors. The attack leverages the Obsidian note-taking app's legitimate community plugin ecosystem, specifically the "Shell Commands" and "Hider" plugins, to execute malicious code on Windows and macOS. Attackers use LinkedIn and Telegram to lure victims into opening a trojanized Obsidian vault, which silently triggers the infection chain when the user enables community plugin sync.
The Windows infection chain deploys the PHANTOMPULL loader, which reflectively loads PHANTOMPULSE, a sophisticated AI-assisted Remote Access Trojan (RAT). Notably, the RAT utilizes public blockchain infrastructure—including Ethereum, Base, and Optimism—to resolve its Command and Control (C2) server addresses through transaction metadata. On macOS, the threat actor utilizes an obfuscated AppleScript dropper with a Telegram-based fallback mechanism for C2 communication, highlighting the cross-platform nature of this campaign.
Top comments (0)