Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks

Elastic Security Labs has uncovered a novel social engineering campaign, designated REF6598, that exploits the legitimate Obsidian note-taking application as an initial access vector to deploy a previously undocumented Windows RAT called PHANTOMPULSE. This campaign specifically targets individuals in the financial services and cryptocurrency sectors. Attackers leverage social engineering techniques to convince victims to download and execute malicious plugins or files through Obsidian, a trusted productivity tool, thereby bypassing traditional security controls. PHANTOMPULSE provides threat actors with persistent remote access, data exfiltration, and command execution capabilities. Organizations in targeted sectors should implement application whitelisting, enforce strict policies on third-party plugin installations, and educate users about social engineering risks associated with note-taking and productivity applications.

A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage

Elastic Security Labs has uncovered a novel social engineering campaign, designated REF6598, that exploits the legitimate Obsidian note-taking application as an initial access vector to deploy a previously undocumented Windows RAT called PHANTOMPULSE. This campaign specifically targets individuals in the financial services and cryptocurrency sectors. Attackers leverage social engineering techniques to convince victims to download and execute malicious plugins or files through Obsidian, a trusted productivity tool, thereby bypassing traditional security controls. PHANTOMPULSE provides threat actors with persistent remote access, data exfiltration, and command execution capabilities. Organizations in targeted sectors should implement application whitelisting, enforce strict policies on third-party plugin installations, and educate users about social engineering risks associated with note-taking and productivity applications. A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage