Obsidian Plugin Abuse Enables Targeted Delivery of Remote Access Malware in Financial Attacks
A targeted campaign has been observed using Obsidian as an initial access vector, combining social engineering with abuse of legitimate application features. The campaign targets individuals in finance and cryptocurrency sectors and deploys a previously undocumented remote access trojan known as PHANTOMPULSE.
What happened
The attack starts with outreach on LinkedIn, posing as a venture capital entity. The conversation moves to Telegram, where the victim is placed in a group designed to appear credible.
The victim is then instructed to access a shared Obsidian vault. To proceed, they must manually enable community plugin synchronization. This step triggers the execution of malicious code.
The attack leverages:
- Shell Commands plugin for command execution
- Hider plugin to conceal UI elements
How the attack works
Execution paths differ by platform:
- On Windows, a PowerShell loader (PHANTOMPULL) deploys PHANTOMPULSE in memory
- On macOS, an AppleScript dropper is used with Telegram fallback for C2
PHANTOMPULSE uses:
- Ethereum blockchain to resolve C2 infrastructure
- WinHTTP for communication
- JSON-based payloads to evade signature-based detection
Capabilities
Once active, the malware enables:
- system reconnaissance
- command execution
- screenshot capture
- keylogging
- file exfiltration
- privilege escalation
Why it matters
This campaign does not rely on a vulnerability. It uses expected application behavior.
That shifts the problem:
- detection cannot rely on signatures
- user actions become the trigger
- trusted tools become execution channels
DIAMATIX Perspective
This is a clear example of where security breaks in practice.
Not at the exploit layer.
At the interaction layer.
In these scenarios:
- endpoint controls see legitimate processes
- execution originates from trusted applications
- detection depends on behavior correlation
This requires:
- visibility into process execution chains
- monitoring of user-triggered actions
- correlation across endpoints and identity
Conclusion
Attackers continue to move toward abusing legitimate workflows instead of exploiting software flaws. The focus shifts from vulnerability management to operational visibility and response. Detection depends on understanding how systems are used, not only how they are built.
Sources
Elastic Security Labs. Technical analysis (April 2026)
Public threat intelligence reporting (April 2026)
