Hackers Exploit Obsidian Plugin to Launch PHANTOMPULSE Trojan

Odaily News According to a disclosure by Elastic Security Labs, threat actors impersonated a venture capital firm, luring targets via LinkedIn and Telegram to open an Obsidian note vault containing malicious code. This attack leveraged Obsidian's Shell Commands plugin, allowing the execution of a malicious payload when the victim opened the vault without exploiting any vulnerability.

The PHANTOMPULSE discovered in the attack is a previously undocumented Windows Remote Access Trojan (RAT) that utilizes Ethereum transaction data for blockchain-based C2 (Command and Control) communication. The macOS payload employs an obfuscated AppleScript dropper and uses a Telegram channel as a fallback C2. Elastic Defend detected and blocked the attack before PHANTOMPULSE could execute.