Obsidian Plugin Abuse Delivered PhantomPulse RAT to Finance and Crypto Targets
Attackers targeted individuals in the financial and cryptocurrency sectors by posing as a venture capital firm on LinkedIn and shifting conversations to Telegram, where they lured victims into opening an attacker-controlled Obsidian vault. The campaign, tracked as REF6598, did not rely on a software vulnerability; instead, it abused Obsidian’s community plugin synchronization to deliver trojanized Shell Commands and Hider plugins that executed attacker-defined code when enabled.
On Windows, the infection chain downloaded a PowerShell stage that deployed PHANTOMPULL, an in-memory loader used to decrypt and reflectively load the previously undocumented PHANTOMPULSE RAT. On macOS, victims received a multi-stage obfuscated AppleScript dropper that established LaunchAgent persistence and used Telegram as a fallback command-and-control channel. Researchers said PHANTOMPULSE supports process injection, keylogging, screenshots, telemetry collection, and privilege escalation, while resolving C2 through Ethereum transaction data; they also identified a flaw in that blockchain-based mechanism that could let defenders hijack infected implants by publishing a newer crafted transaction to the monitored wallet.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Elastic detects and blocks the intrusion and publishes technical findings
Elastic Security Labs reported that Elastic Defend detected and blocked the observed attack early. The researchers publicly documented the REF6598 campaign, PHANTOMPULSE capabilities, related infrastructure, and a design flaw in the malware's blockchain-based C2 logic that could allow defenders to hijack infected implants.
Attackers deploy PHANTOMPULSE RAT through trojanized Obsidian plugins
In the observed intrusion chain, trojanized Shell Commands and Hider plugins executed malware on both Windows and macOS. On Windows, the chain used PowerShell and the PHANTOMPULL in-memory loader to deploy the previously undocumented PHANTOMPULSE RAT, while macOS infections used an obfuscated AppleScript dropper with LaunchAgent persistence and Telegram fallback C2.
REF6598 campaign targets finance and crypto professionals via Obsidian lures
Attackers conducted a targeted social-engineering campaign against individuals in the financial and cryptocurrency sectors, impersonating a venture capital firm on LinkedIn and Telegram. Victims were lured into opening an attacker-controlled cloud-hosted Obsidian vault and enabling community plugin sync to trigger malicious code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks
thehackernews.com
Open sourceHackers Weaponize Obsidian Shell Commands Plugin to Launch Cross-Platform Malware Attacks
cybersecuritynews.com
Open sourcePhantom in the vault: Obsidian abused to deliver PhantomPulse RAT - Elastic Security Labs
elastic.co
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DPRK-Linked Malware Campaigns Use Blockchain C2 to Target Crypto Firms and Developers
Researchers detailed two likely DPRK-linked malware operations that used public blockchains as resilient command-and-control infrastructure while targeting the cryptocurrency ecosystem and software developers. Elastic Security Labs said the **PHANTOMPULSE** Windows RAT, delivered through abused Obsidian plugins and the `PHANTOMPULL` loader, used multiple process-injection techniques, a `schuac`-based UAC bypass via `IElevatedFactoryServer`, hardware breakpoints to suppress **AMSI**, **WLDP**, and **ETW**, and scheduled tasks for persistence. The implant conducted host reconnaissance, screenshot capture, keylogging, and clipboard monitoring, and resolved its latest C2 by reading transaction data from **Ethereum**, **Base**, and **Optimism**, with Telegram and hardcoded-domain fallback paths also noted. A separate supply-chain intrusion attributed to **Famous Chollima** compromised the legitimate Packagist package `roberts/leads`, hiding malicious JavaScript in a development-branch `tailwind.js` file that fetched encrypted payloads from **TRON**, **Aptos**, and **BNB Smart Chain**. Socket linked the activity to prior DPRK tooling including **DEV#POPPER RAT**, **OmniStealer**, and **BeaverTail**, while public reporting and social-media tracking tied it to the broader **Contagious Interview** ecosystem. Elastic said PHANTOMPULSE's blockchain resolver failed to verify transaction senders, creating a rare opportunity for defenders to sinkhole infected hosts with a crafted transaction, and advised monitoring suspicious scheduled tasks, unusual `rundll32.exe` execution, hardware-breakpoint tampering, and Node.js access to blockchain or RPC services during builds.
Jun 29, 2026
Infostealer Campaigns Expand to macOS and Cross-Platform Platform Abuse
Microsoft reported that infostealer operators have broadened beyond traditional Windows-focused activity to target **macOS** and mixed-platform environments through social engineering, malicious installers, and abuse of trusted services. Since late 2025, researchers observed campaigns delivering **DigitStealer**, **MacSync**, and **Atomic macOS Stealer (AMOS)** via fake software downloads, malicious `.dmg` files, and **ClickFix**-style prompts that trick users into running Terminal commands, leading to theft of browser credentials, cryptocurrency wallet data, Keychain contents, and developer secrets. The company also linked multiple cross-platform and Python-based operations to the trend, including **PXA Stealer**, attributed to Vietnamese-speaking threat actors targeting government and education organizations through phishing, persistence mechanisms, and Telegram-based exfiltration. Separate campaigns used **WhatsApp** to spread **Eternidade Stealer** with worm-like propagation and pushed a fake **Crystal PDF** installer through malvertising and SEO poisoning to capture browser sessions and credentials. Microsoft said the activity increasingly relies on fileless execution, native utilities, obfuscation, **LOLBINs**, and trusted platforms to evade detection, and published Defender XDR detections, hunting queries, indicators of compromise, and mitigation guidance.
Jun 29, 2026
Malicious AI and Software Repositories Spread Rust-Based Infostealers
Threat researchers uncovered multiple malware campaigns abusing trusted developer and AI distribution platforms to spread **Rust-based infostealers** through fake or typosquatted repositories. HiddenLayer found that a malicious Hugging Face project, `Open-OSS/privacy-filter`, impersonated OpenAI’s legitimate Privacy Filter repository, briefly became the platform’s top trending project, and was downloaded about **244,000** times before removal. The repository’s `loader.py` fetched a multi-stage payload ending in the `sefirah` infostealer, which harvested browser data, Discord tokens, cryptocurrency wallet data, SSH/FTP/VPN credentials, local files, system details, and screenshots, then exfiltrated the data to `recargapopular[.]com`. Researchers also linked the activity to overlaps with an npm typosquatting campaign associated with the **WinOS 4.0** implant. In a parallel campaign, Netskope reported that attackers impersonated the OpenClaw project with a fake installer site and a typosquatted GitHub organization to deliver a previously undocumented Rust dropper called **Hologram** and a modular implant framework. The malware targeted credentials from more than **250** cryptocurrency wallet, password manager, and 2FA browser extensions, while using anti-sandbox checks, in-memory .NET execution, reflective PE loading, persistence via `Userinit`, COM hijacking, and scheduled tasks, plus direct NT syscall thread injection. Operators staged and relayed infrastructure through legitimate services including **Azure DevOps, Telegram, Hookdeck, snippet.host, and Pastebin**; Netskope said the operation marked the first documented malware abuse of Hookdeck as a C2 relay and later evolved into a third wave, **Pathfinder**, that added confirmed Vidar infostealer delivery.
Jun 29, 2026