Deepthix .
← Retour au blog
tech 11 May 2026

Exploitation of Obsidian Plugin to Deploy a Remote Access Trojan

A social engineering campaign hijacked the Obsidian note-taking app to deploy a remote access trojan, targeting finance and cryptocurrency professionals.

Article inspired by the original source
Obsidian plugin was abused to deploy a remote access trojan ↗ cyber.netsecops.io

Introduction

In a world where cyberattacks are becoming increasingly sophisticated, the recent exploitation of an Obsidian plugin to deploy the PHANTOMPULSE trojan represents a disturbing development. This campaign, primarily targeting finance and cryptocurrency professionals, employs social engineering techniques to deceive users and take control of their systems.

Attack Background

The PHANTOMPULSE malware was introduced via a campaign designated REF6598. Attackers, posing as venture capitalists, approach their targets on platforms like LinkedIn before moving the conversation to Telegram. They then invite victims to collaborate through a cloud-hosted shared vault in the Obsidian app.

Infection Methodology

The attack relies on manipulating targets to enable a community plugin in Obsidian, an action that seems innocuous but allows the execution of malicious scripts. This process is triggered by installing modified versions of legitimate plugins, notably 'Shell Commands' and 'Hider'.

Technical Analysis

Initial Access

Attackers use spear-phishing techniques, enticing users to open a compromised Obsidian vault. Once opened, the malicious plugin executes a PowerShell script on Windows or an equivalent script on macOS.

Malware Deployment

On Windows, a PowerShell script deploys a loader named PHANTOMPULL, which then installs the PHANTOMPULSE RAT. On macOS, a similar process is followed, although the underlying mechanisms differ slightly.

Resilience and Command

PHANTOMPULSE uses the Ethereum blockchain to dynamically resolve the address of its command and control (C2) server, making it resilient to takedown efforts.

Implications for Professionals

This attack highlights the growing need for vigilance among professionals in sensitive sectors. Using professional networks to target potential victims underscores the importance of cybersecurity training and awareness of social engineering threats.

Conclusion

The sophistication of the attack via Obsidian demonstrates that even productivity tools can be hijacked for malicious purposes. Companies must take proactive measures to secure their digital environments and educate their teams on potential threats.

Let's discuss your project in 15 minutes.

Obsidian PHANTOMPULSE cybersecurity social engineering blockchain
Deepthix newsletter · 100% AI · every Monday 8am

An AI agent reads tech for you.

Our AI agent scans ~200 sources per week and ships the best articles to your inbox Monday 8am. Free. One click to unsubscribe.

Visit the newsletter page →

Want to automate your operations?

Let's talk about your project in 15 minutes.

Book a call