Overview
- Elastic Security Labs detailed a targeted campaign that abuses Obsidian’s community plugin system to install a new remote access trojan called PHANTOMPULSE.
- Attackers pose as venture capital contacts on LinkedIn, shift conversations to Telegram, then share an Obsidian cloud vault that nudges targets to enable plugin sync.
- Enabling sync triggers trojanized plugins that quietly install PHANTOMPULSE on Windows or macOS devices while attempting to avoid detection.
- The malware pulls instructions from transactions tied to specific wallets on three public blockchains, which removes the need for a central command server.
- Researchers urge firms to restrict third-party plugins, watch endpoints for stealthy RAT behavior, and train staff in high-risk roles as wallet thefts reached $713 million in 2025, according to Chainalysis.