Elastic Security Labs Uncovers Attack on Crypto Holders via Obsidian

Key points:

• Elastic Security Labs has identified a new social engineering campaign targeting the financial and cryptocurrency sectors.
• Attackers are using the Obsidian application and its plugins to covertly execute malicious code and gain access to victims’ devices.
• The attack deploys a previously unknown PHANTOMPULSE trojan, though it was detected and blocked at an early stage.

Elastic Security Labs has uncovered a new social engineering campaign, tracked under the code name REF6598. The attackers are using the popular note-taking app Obsidian as an initial access vector to compromise victims’ devices. The primary targets are professionals in the financial and cryptocurrency sectors.

The attack begins with contact on LinkedIn and continues on Telegram. The threat actors pose as representatives of a venture capital firm, discussing financial services and cryptocurrency liquidity solutions. This approach builds trust and convinces victims of the legitimacy of the interaction.

How the Attack Works

Targets are invited to use Obsidian as the firm’s “management database” and are provided with credentials to access a cloud storage repository controlled by the attackers. Once connected, victims are instructed to enable community plugins. Among them are Shell Commands and Hider, which execute malicious code when the shared vault is opened.

Elastic Defend detected suspicious activity at an early stage and successfully prevented the attackers from achieving their objectives.

MetaMask hit by new phishing attack disguised as mandatory 2FA

Attackers pose phishing as a required security check, ultimately gaining full control of users’ wallets

Читать дальше

The infection chain operates across both Windows and macOS. On Windows, an intermediate loader encrypted with AES-256-CBC decrypts and loads malicious payloads directly into memory while employing anti-analysis techniques. The final stage involves deploying a previously undocumented remote access trojan dubbed PHANTOMPULSE—a fully featured backdoor leveraging blockchain-based command-and-control mechanisms and elements of artificial intelligence.

On macOS, the attack uses an obfuscated AppleScript dropper with a backup command-and-control channel via Telegram.

Initially, researchers suspected a malicious version of Obsidian. However, verification of the digital signature confirmed that the application was legitimate. This indicates the use of trusted software as a tool for cyberattacks.

Previously, we reported on how cybercriminals are leveraging artificial intelligence to carry out cryptocurrency-related fraud.