New 'PHANTOMPULSE' Malware Targets Crypto Professionals via Obsidian App

Elastic Security Labs has uncovered a multi-stage social engineering operation designed to compromise the devices of cryptocurrency and finance industry professionals. The attackers utilize the community plugin ecosystem of the Obsidian note-taking application to execute malicious code silently when a victim opens a shared cloud vault. The campaign typically begins on LinkedIn, where attackers pose as representatives of venture capital firms to establish a plausible business context. Once trust is established, the conversation is moved to Telegram, where targets are lured into using a shared dashboard hosted within Obsidian. This cloud-hosted vault serves as the primary access vector for the attack. Upon enabling community plugin synchronization, the system deploys a previously undocumented remote access trojan (RAT) dubbed 'PHANTOMPULSE.' This malware is designed for high resilience and stealth, granting attackers comprehensive remote control over both Windows and macOS devices. Notably, PHANTOMPULSE employs a decentralized command-and-control (C2) mechanism across three different blockchain networks. By utilizing immutable on-chain transaction data, the malware can locate its controllers without relying on centralized infrastructure, making the operation highly resistant to traditional blocking methods. This threat emerges amid a broader trend of escalating attacks on the digital asset sector. According to data from Chainalysis, approximately $713 million was stolen via individual crypto wallet compromises in 2025 alone. Security experts warn that legitimate productivity tools are increasingly being weaponized to bypass traditional security controls. Organizations are urged to enforce strict app-level plugin policies to defend against the execution of arbitrary code through third-party extensions.