Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Exploit Obsidian Plugin for Cross-Platform Malware

Hackers Exploit Obsidian Plugin for Cross-Platform Malware

Posted on April 14, 2026 By CWS

Cybercriminals have ingeniously misused a popular productivity tool to distribute malware across different platforms. By leveraging the Shell Commands plugin in Obsidian, attackers have been executing harmful code on users’ systems without needing to exploit any software vulnerabilities.

Targeting Financial and Cryptocurrency Sectors

The campaign, identified as REF6598, specifically aims at individuals in the financial and cryptocurrency industries. It begins with a sophisticated social engineering tactic where attackers impersonate representatives from a venture capital firm and contact potential victims through LinkedIn.

Once communication is established, the conversation shifts to a Telegram chat involving multiple fake partners to enhance credibility. Victims are then instructed to use Obsidian, portrayed as the firm’s internal management tool, and are given credentials to access a cloud-hosted vault controlled by the attacker.

Technical Details of the Attack

Elastic Security Labs researchers discovered the campaign after noticing a suspicious PowerShell execution with Obsidian as the parent process. Researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic linked the activity back to the Obsidian application, excluding third-party DLL sideloading or JavaScript injection.

The investigation revealed that the Shell Commands plugin, embedded in the malicious vault, was set to execute attacker-specified shell commands once the vault was accessed, requiring no further action from the victim.

Cross-Platform Attack Mechanism

The attack affects both Windows and macOS systems. On Windows, the attack chain culminates in the deployment of a previously undocumented RAT named PHANTOMPULSE, which includes capabilities like keylogging and privilege escalation.

For macOS, a concealed AppleScript dropper along with a Telegram-based fallback mechanism is used for command-and-control communication. Both attack paths effectively camouflage themselves within standard application behavior, complicating traditional detection methods.

Upon opening the attacker-controlled vault and enabling plugin sync, the trojanized plugin’s data.json configuration file downloads and initiates execution. In Windows, Base64-encoded PowerShell scripts are executed to download a 64-bit executable called syncobs.exe, reporting each step to the command server using color-coded messages.

Recommendations for Security Teams

The final payload, PHANTOMPULL, decrypts its AES-256-CBC-encrypted payload in-memory, avoiding traditional file-based detection. PHANTOMPULSE employs a unique C2 resolution technique using public Ethereum blockchain data.

Organizations in the targeted sectors are advised to monitor for abnormal child process creation from Electron-based applications like Obsidian. Enabling behavioral endpoint detection and enforcing plugin installation policies can mitigate risks.

Elastic has published YARA rules for detecting PHANTOMPULL and PHANTOMPULSE, providing a practical starting point for enhancing security measures across different environments.

Stay updated with our latest reports by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more instant updates.

Cyber Security News Tags:cross-platform attacks, Cryptocurrency, Cybersecurity, Elastic Security Labs, financial sector, Malware, Obsidian, PHANTOMPULSE, RAT, Shell Commands plugin

Post navigation

Previous Post: SAP Mitigates Severe ABAP Security Flaw
Next Post: AI Threats Loom: CISOs Urged to Strengthen Cybersecurity

Related Posts

Trigona Ransomware Group Crafts Custom Data Theft Tool Trigona Ransomware Group Crafts Custom Data Theft Tool Cyber Security News
Microsoft Confirms Recent Windows 11 24H2/25H2 and Server 2025 Update Breaks RemoteApp Connections Microsoft Confirms Recent Windows 11 24H2/25H2 and Server 2025 Update Breaks RemoteApp Connections Cyber Security News
Hackers Leverages Google Calendar APIs With Serverless MeetC2 Communication Framework Hackers Leverages Google Calendar APIs With Serverless MeetC2 Communication Framework Cyber Security News
LinkedIn Social Engineering Targets Cryptocurrency Firms LinkedIn Social Engineering Targets Cryptocurrency Firms Cyber Security News
F5 Fixes HTTP/2 Vulnerability Enabling Massive DoS Attacks F5 Fixes HTTP/2 Vulnerability Enabling Massive DoS Attacks Cyber Security News
Critical Zoom Clients for Windows Vulnerability Lets Attackers Escalate Privileges Critical Zoom Clients for Windows Vulnerability Lets Attackers Escalate Privileges Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • July 2026 SAP Security Updates Address Critical Flaws
  • US, Allies Alert on Russian Cyber Threats to Key Infrastructure
  • UK Issues Alert on Russian Cyber Threats to Networks
  • SAP Addresses Major Security Flaws in NetWeaver and More
  • Canadian Cybersecurity Leaders Shine at Web Summit Vancouver

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • July 2026 SAP Security Updates Address Critical Flaws
  • US, Allies Alert on Russian Cyber Threats to Key Infrastructure
  • UK Issues Alert on Russian Cyber Threats to Networks
  • SAP Addresses Major Security Flaws in NetWeaver and More
  • Canadian Cybersecurity Leaders Shine at Web Summit Vancouver

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark