Threat actors have begun leveraging a popular productivity tool, Obsidian, by weaponizing its Shell Commands community plugin to execute malicious code across different operating systems. This novel attack vector, identified by Elastic Security Labs as REF6598, allows attackers to launch cross-platform malware attacks without exploiting software vulnerabilities. The campaign primarily targets individuals within the financial and cryptocurrency sectors.
The campaign initiates through a sophisticated social engineering scheme. Attackers impersonate venture capital firm representatives, initiating contact via LinkedIn. Upon engagement, the conversation shifts to a Telegram group, where additional fabricated partners join to lend an air of legitimacy. Victims are then guided to utilize Obsidian, presented as the firm’s internal management database, and are provided with credentials to access a cloud-hosted vault controlled entirely by the attackers. Researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic from Elastic Security Labs uncovered the campaign following an alert on suspicious PowerShell activity originating from Obsidian.
Weaponizing Obsidian’s Shell Commands Plugin for Malware Deployment
The investigation confirmed that the Shell Commands plugin, embedded within the malicious vault, was configured to execute attacker-defined shell commands automatically upon the vault’s opening. This bypasses the need for any further user interaction, making the attack particularly stealthy. The campaign has been observed to affect both Windows and macOS systems. On Windows, the infection chain culminates in the deployment of a previously undocumented remote access trojan (RAT) named PHANTOMPULSE. This backdoor boasts capabilities including keylogging, screen capture, process injection, and privilege escalation. For macOS users, the attack employs an obfuscated AppleScript dropper, which, if successful, utilizes a Telegram-based fallback mechanism for command-and-control (C2) communication. Both attack paths are designed to mimic normal application behavior, posing a significant challenge to traditional detection methods.
From Vault Synchronization to the Final Payload
The infection chain begins when a victim opens the attacker-controlled vault and enables community plugin synchronization. This action triggers the silent download and execution of the trojanized Shell Commands plugin’s configuration file, named data.json. On Windows systems, the plugin utilizes two Invoke-Expression calls with Base64-encoded strings. These commands communicate with a staging server located at 195.3.222[.]251 to retrieve a PowerShell script. This retrieved script then employs BitsTransfer to download a 64-bit executable, identified as syncobs.exe.
The downloaded executable, which researchers have dubbed PHANTOMPULL, decrypts an AES-256-CBC-encrypted payload directly from its own resources. This payload is then loaded entirely into memory using a technique known as reflective loading. Crucially, the malware never writes its final stage to disk, a deliberate tactic to evade conventional file-based scanning and antivirus solutions. PHANTOMPULL also incorporates a timer queue callback with a 50-millisecond delay to obfuscate its execution flow, a measure intended to thwart sandbox analysis. Furthermore, the loader includes extraneous code blocks and a counterfeit integrity check function that serve no legitimate purpose other than to consume the time of security analysts during reverse engineering efforts.
The ultimate payload, the PHANTOMPULSE RAT, employs a unique method for C2 resolution centered on publicly available Ethereum blockchain data. The malware queries Blockscout APIs across multiple blockchain networks, extracting XOR-encrypted C2 URLs from the input fields of transactions associated with a hardcoded wallet address. Researchers have identified a notable vulnerability in this design: PHANTOMPULSE consistently selects the most recent transaction without validating its sender. This flaw means that any party able to extract the wallet address and XOR key from the malware binary could potentially submit a competing transaction, thereby redirecting all infected hosts to a sinkhole server. Organizations operating within the financial and cryptocurrency sectors are advised to monitor for atypical child process creation originating from Electron-based applications, such as Obsidian. The implementation of behavioral endpoint detection tools and the enforcement of community plugin installation policies are also recommended protective measures.
Security teams should actively hunt for file events corresponding to obsidian-shellcommands paths and implement blocking measures for known malicious infrastructure, including 195.3.222[.]251 and panel.fefea22134[.]net. Elastic has published YARA rules for PHANTOMPULL and PHANTOMPULSE, which can serve as a practical resource for detecting these threats across various environments. The successful exploitation of Obsidian’s plugin functionality highlights the evolving tactics of threat actors and the ongoing need for vigilant cybersecurity practices.