Elastic Security Labs has uncovered a sophisticated social engineering campaign, tracked as REF6598, which weaponizes the popular note-taking application Obsidian to target financial and cryptocurrency sectors. The attack chain leverages malicious community plugins—specifically Shell Commands and Hider—to execute arbitrary code once a victim syncs a shared cloud vault. This cross-platform threat delivers a novel, AI-assisted Windows RAT named PHANTOMPULSE and a macOS AppleScript dropper, showcasing a high level of technical creativity in bypassing traditional security controls through trusted application features.
The Windows-specific payload, PHANTOMPULSE, utilizes a decentralized Command and Control (C2) resolution mechanism by fetching URLs from Ethereum blockchain transaction data. It incorporates advanced features such as reflective loading, module stomping, and a persistent heartbeat mechanism that reports system telemetry. Notably, researchers identified a weakness in the blockchain resolution logic that allows for potential C2 hijacking by third parties, as the malware does not verify the transaction sender. The campaign highlights a growing trend of using AI-generated code to develop feature-rich malware for both Windows and macOS platforms.
Top comments (0)