TLDR
- Hackers abuse Obsidian Plugins to deploy stealth malware on devices
- Fake VC scams on LinkedIn push victims to malicious Obsidian Plugins
- PHANTOMPULSE malware spreads via Obsidian Plugins and cloud vaults
- Crypto users targeted through Telegram using Obsidian Plugins attack
- New scam uses Obsidian Plugins to bypass security and steal access
Crypto users face a rising threat as attackers exploit Obsidian Plugins to deploy stealth malware through social engineering tactics. The campaign targets finance professionals and spreads through LinkedIn and Telegram conversations. Moreover, the abuse of Obsidian Plugins allows attackers to bypass security tools and execute hidden code.
Social Engineering Campaign Uses Obsidian Plugins as Entry Point
Attackers initiate contact through LinkedIn, posing as venture capital firms targeting crypto professionals. They later shift conversations to Telegram, where multiple fake partners create a credible business environment. They convince targets to access shared dashboards using Obsidian Plugins.
The attackers present Obsidian as a legitimate database tool for financial collaboration. They provide login credentials to access a cloud-hosted vault controlled by malicious actors. Once the victim opens the vault, attackers push instructions to enable Obsidian Plugins synchronization.
This step triggers the execution chain, as trojanized Obsidian Plugins silently run malicious scripts. The attack uses built-in plugin features to execute code without raising alerts. Attackers exploit trusted software behavior instead of using traditional malware delivery methods.
PHANTOMPULSE Malware Expands Cross Platform Threat
Security researchers at Elastic Security Labs identified a new remote access trojan named PHANTOMPULSE. The malware operates on both Windows and macOS systems with separate execution paths. It uses Obsidian Plugins as the initial access vector to deploy payloads.
On Windows, the malware uses encrypted loaders and in-memory execution techniques to avoid detection. It relies on AES-256 encryption and reflective loading to maintain stealth during execution. macOS systems receive an obfuscated AppleScript dropper with a fallback command system.
PHANTOMPULSE introduces a decentralized command system that uses blockchain transactions for communication. It retrieves instructions from wallet-linked on-chain data across multiple networks. As a result, the malware avoids reliance on centralized servers and maintains persistence even under disruption.
Rising Crypto Threats Highlight Weakness in Trusted Tools
Crypto platforms remain attractive targets due to irreversible blockchain transactions and high-value wallets. In 2025, attackers stole over $713 million from individual wallets, highlighting growing risks. Obsidian Plugins provide attackers with a new method to bypass standard defenses.
The campaign shows how legitimate productivity tools can become attack vectors when misused. Attackers exploit plugin ecosystems to run arbitrary code without triggering traditional security alerts. Organizations must monitor and restrict the use of third-party plugins in critical environments.
Security teams now recommend enforcing strict plugin policies and limiting external vault access. They also advise verifying communication sources before installing or enabling Obsidian Plugins. Awareness and control remain key defenses against evolving social engineering threats.
