A new social engineering scheme is leveraging the Obsidian note-taking app to deploy stealthy malware targeting cryptocurrency and finance professionals.
Summary
- Scammers are using LinkedIn and Telegram to trick crypto professionals into downloading malicious Obsidian plugins that deploy a remote access trojan.
- Elastic Security Labs discovered that the undocumented PHANTOMPULSE malware uses three different blockchain networks to receive commands and maintain persistence.
- Security researchers recommend that financial firms implement strict application-level plugin policies to prevent legitimate productivity tools from being exploited.
Elastic Security Labs released a report Tuesday detailing how attackers use “elaborate social engineering on LinkedIn and Telegram” to bypass traditional security by hiding malicious code within community-developed plugins.
The campaign specifically targets individuals in the digital asset space, capitalizing on the permanent nature of blockchain transactions. This vulnerability is particularly acute given that wallet compromises accounted for $713 million in stolen funds during 2025, according to Chainalysis data.
The infiltration begins with scammers posing as venture capital representatives on LinkedIn to initiate professional networking. These conversations eventually transition to Telegram, where the attackers discuss cryptocurrency liquidity solutions to build a “plausible business context.”
Once trust is established, targets are invited to access what is described as a company database or dashboard hosted on a shared Obsidian cloud vault.
Opening the vault serves as the initial access vector. The victim is directed to enable community plugin synchronization, which triggers the silent execution of trojanized software.
While the technical execution varies slightly between Windows and macOS, both paths result in the installation of a previously unknown remote access trojan (RAT) named PHANTOMPULSE.
This malware is designed to grant attackers full control over the infected device while maintaining a low profile to avoid detection.
PHANTOMPULSE maintains its connection to the attackers through a decentralized command-and-control (C2) system that spans three different blockchain networks.
By using on-chain transaction data tied to specific wallets, the malware can receive instructions without a central server.
“Because blockchain transactions are immutable and publicly accessible, the malware can always locate its C2 without relying on centralized infrastructure,” Elastic noted.
The use of multiple chains ensures the attack remains resilient even if one blockchain explorer is restricted. This method allows the operators to rotate their infrastructure seamlessly, making it difficult for defenders to sever the link between the malware and its source.
Elastic warned that by abusing Obsidian’s intended functionality, the hackers managed to “skirt traditional security controls entirely.”
The firm suggests that organizations operating in high-risk financial sectors should implement strict application-level policies for plugins to prevent legitimate productivity tools from being repurposed as entry points for theft.
