Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks

The rise of supply‑chain‑style attacks has moved beyond traditional software updates to the exploitation of legitimate productivity tools. Obsidian, a popular cross‑platform note‑taking application, offers a vibrant community plugin ecosystem that users readily enable for enhanced functionality. Attackers have weaponized this trust, using social engineering on LinkedIn and Telegram to persuade high‑profile finance and crypto professionals to activate community‑plugin sync on a shared vault, effectively turning a benign feature into a covert execution channel.

Technically, the campaign drops a lightweight loader—PHANTOMPULL—via the Shell Commands plugin on Windows, which then decrypts and runs the AI‑generated PHANTOMPULSE backdoor entirely in memory. The malware’s command‑and‑control relies on the Ethereum blockchain, fetching transaction data tied to a hard‑coded wallet address, a method that sidesteps conventional domain‑based blocking. On macOS, an obfuscated AppleScript delivered through the same plugin contacts Telegram‑based dead‑drops, allowing rapid C2 rotation. Both payloads employ the Hider plugin to conceal UI elements, reducing the chance of user suspicion and evading endpoint detection.

For security teams, this threat underscores the need for stricter governance of third‑party plugins and tighter controls on cloud‑synced configurations. Traditional antivirus solutions may miss JSON‑based payloads that execute within a signed Electron wrapper, so behavioral monitoring of plugin activity and anomaly detection of blockchain‑related network traffic become critical. Financial institutions and crypto firms must educate users about the risks of enabling external plugins and adopt zero‑trust principles for application ecosystems, ensuring that trusted tools do not become the weakest link in their defense posture.