Hackers Spread PHANTOMPULSE Trojan via Obsidian Plugin

According to Elastic Security Labs, threat actors impersonated venture capital firms and lured targets into opening malicious Obsidian note vaults via LinkedIn and Telegram. This attack leveraged Obsidian’s Shell Commands plugin to execute malicious payloads without exploiting any vulnerabilities when victims opened the note vaults. The PHANTOMPULSE malware discovered in this campaign is a previously undocumented Windows Remote Access Trojan (RAT) that uses Ethereum transaction data to achieve blockchain-based C2 communication. The macOS payload employs an obfuscated AppleScript dropper and uses a Telegram channel as a fallback C2. Elastic Defend detected and blocked the PHANTOMPULSE execution before it could run.