Cyber Alert: Obsidian App Exploited to Deliver Dangerous Malware

Obsidian Note-Taking App Hijacked in Clever Cyber Attack – Hackers Using Your Productivity Tool to Sneak In Dangerous Malware!

Imagine opening your favorite note-taking app to check some important financial notes, only to unknowingly let hackers into your computer. That’s exactly what’s happening in a sophisticated new cyber campaign targeting people working in finance and cryptocurrency. Security researchers have uncovered how attackers are abusing Obsidian - a popular cross-platform app loved by professionals for organizing thoughts and data * to deliver a brand-new remote access trojan (RAT) called PHANTOMPULSE.

This isn’t some random virus attack. It’s a carefully crafted social engineering operation that feels incredibly real to the victims. Elastic Security Labs has named the campaign REF6598, and it’s raising serious concerns because it uses trusted tools and clever tricks instead of traditional malware that antivirus software can easily catch.

How the Attack Begins: Fake VC Firms on LinkedIn and Telegram

The attackers start by reaching out to targets on LinkedIn, pretending to be from a legitimate venture capital firm interested in their work in finance or crypto. Once they get the person’s attention, they quickly move the conversation to a Telegram group chat.

This group is cleverly designed to look trustworthy. It has several “partners” discussing real-sounding topics like financial services, crypto liquidity solutions, and investment opportunities. The goal is simple: build credibility fast so the target lowers their guard.

Then comes the tricky part. The attackers convince the victim to use Obsidian to “view a shared dashboard.” They provide login credentials for a cloud-hosted vault. As soon as the target opens this vault in Obsidian, the trap is set. They’re asked to enable “Installed community plugins” sync — something that’s turned off by default for security reasons.

This single click (or toggle) is what lets the malicious code run. The attackers abuse two legitimate Obsidian community plugins - Shell Commands and Hider - to execute code silently in the background.

The Technical Trick That Makes This Attack So Sneaky

Researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic from Elastic Security Labs explained it clearly: the attackers aren’t exploiting any software bug. Instead, they’re abusing Obsidian’s own features against the user.

The Shell Commands plugin is used to run malicious instructions, while the Hider plugin hides things like the status bar, scrollbars, and tooltips so the victim doesn’t notice anything suspicious happening. Because everything lives inside normal-looking JSON configuration files inside the vault, traditional antivirus tools often miss it completely. The code runs through Obsidian itself - a trusted, signed application - making it even harder to detect.

This technique requires the attacker to socially engineer the victim into manually turning on community plugin sync. That human element is what makes the attack both clever and dangerous.

What Happens After Infection: PHANTOMPULSE RAT

Once the code runs, the behavior differs depending on whether the victim is using Windows or macOS.

On Windows:

• A PowerShell script is launched.
• This drops an intermediate loader called PHANTOMPULL.
• The loader then decrypts and runs the main malware - PHANTOMPULSE - directly in memory (so it leaves fewer traces on the hard drive).

PHANTOMPULSE is a sophisticated backdoor. What makes it particularly interesting is that it uses the Ethereum blockchain to find its command-and-control (C2) server. It looks up the latest transaction on a hard-coded crypto wallet address to get the current C2 location. This is a smart way to stay hidden and make blocking the server very difficult.

The RAT can do a lot of damaging things:

• Inject shellcode, DLLs, or executables into other processes
• Drop and run files on the system
• Take screenshots and upload them
• Start and stop a keylogger to steal passwords and sensitive info
• Uninstall itself and clean up traces
• Escalate privileges to SYSTEM level
• Send system information back to the attackers

On macOS:

• The attack uses an obfuscated AppleScript dropper.
• It tries multiple domains and even uses Telegram as a backup way to find the C2 server.
• It then downloads and runs a second-stage payload (researchers couldn’t fully analyze this part because the C2 servers went offline).

Fortunately, in the cases Elastic observed, the attack was caught and stopped before the hackers could achieve their full goals. But the sophistication shows how determined these threat actors are.

Why Finance and Crypto People Are Being Targeted

The focus on financial and cryptocurrency professionals makes perfect sense. These sectors deal with high-value transactions, sensitive personal data, and large sums of money. Stealing credentials, taking screenshots of trading platforms, or logging keystrokes could lead to serious financial theft or account takeovers.

The attackers are patient and professional - they build fake personas, create believable group chats, and use legitimate-looking tools. This isn’t a spray-and-pray malware campaign. It’s targeted and well-planned.

The Bigger Lesson Here

Elastic Security Labs summed it up well: “REF6598 demonstrates how threat actors continue to find creative initial access vectors by abusing trusted applications and employing targeted social engineering. By abusing Obsidian’s community plugin ecosystem rather than exploiting a software vulnerability, the attackers bypass traditional security controls entirely.”

This campaign shows a worrying trend. Hackers are moving away from obvious malware and toward abusing everyday productivity tools that people trust. Obsidian is popular precisely because it’s flexible and powerful - and that flexibility is exactly what the attackers exploited.

What Should You Do to Stay Safe?

If you use Obsidian (or any similar tools):

• Be extremely careful with shared vaults from people you don’t know well.
• Never enable community plugin sync unless you fully trust the source.
• Keep your apps and operating system updated.
• Use strong, unique passwords and enable multi-factor authentication everywhere possible.
• Consider security tools that monitor for suspicious behavior, not just known malware signatures.

This attack is a wake-up call. Even the most innocent-looking apps can become weapons when combined with clever social engineering. As AI tools and productivity apps become more powerful, we can expect attackers to get more creative in abusing them.

Stay safe out there, and always think twice before clicking “enable” on something that feels even slightly off.