Obsidian plugin was abused to deploy a remote access trojan
Key takeaways
- Obsidian Plugin Abused in Social Engineering Campaign to Deliver New PHANTOMPULSE RAT
- Once the victim opens the shared vault, the infection is triggered by social engineering.
- The attack chain differs slightly between Windows and macOS but follows the same general principle:
Obsidian Plugin Abused in Social Engineering Campaign to Deliver New PHANTOMPULSE RAT
Security researchers have identified a highly targeted social engineering campaign (REF6598) that weaponizes the Obsidian note-taking application to deliver a previously undocumented Remote Access Trojan (RAT) named PHANTOMPULSE. The campaign targets individuals in the financial and cryptocurrency sectors on both Windows and mac OS. Attackers use platforms like Linked In and Telegram to build trust before luring victims into a malicious shared Obsidian vault. The attack chain relies on tricking the user into enabling a community plugin, which then executes code to deploy the RAT. PHANTOMPULSE demonstrates advanced capabilities, including using the Ethereum blockchain to dynamically resolve its command-and-control (C2) server address, making it highly resilient to takedowns.
The attack, designated REF6598, is a multi-stage social engineering effort. Threat actors pose as venture capitalists and engage with targets on professional networking sites before moving the conversation to a private Telegram group. The primary lure is an invitation to collaborate via a shared, cloud-hosted Obsidian vault.