A new cyber campaign is turning a trusted productivity tool into a stealthy attack vector, as threat actors weaponize the Obsidian Shell Commands plugin to deploy cross-platform malware. Discovered by Elastic Security Labs, the campaign tracked as REF6598 primarily targets professionals in the financial and cryptocurrency sectors.
What makes this attack particularly dangerous is that it doesn’t rely on any software vulnerability. Instead, attackers exploit trust and normal application behavior. The operation begins with a well-crafted social engineering approach, where threat actors impersonate venture capital firms on LinkedIn and gradually move conversations to Telegram to build credibility. Victims are then invited to collaborate using Obsidian, presented as an internal knowledge platform, and are given access to a cloud-hosted vault controlled entirely by the attackers.
Once the victim opens the malicious vault and enables plugin synchronization, the trap is triggered. The Shell Commands plugin—preconfigured by the attackers—executes hidden commands automatically, without requiring any further interaction. This allows attackers to silently initiate the infection chain as soon as the vault is accessed.
On Windows systems, the attack deploys a previously undocumented remote access trojan known as PHANTOMPULSE. This malware is capable of keylogging, capturing screenshots, injecting processes, and escalating privileges. The infection begins with encoded PowerShell commands that download additional payloads from attacker-controlled servers. These payloads are then decrypted and executed entirely in memory, leaving minimal traces on disk and making detection significantly more difficult.
On macOS, the attack uses an obfuscated AppleScript-based dropper combined with a Telegram-based fallback channel for command-and-control communication. Both attack paths are carefully designed to blend in with legitimate application behavior, bypassing traditional security defenses.
A particularly advanced feature of the malware is its use of blockchain technology for command-and-control. Instead of relying on fixed servers, the malware retrieves instructions from public Ethereum blockchain transactions. However, researchers identified a flaw in this design—since the malware does not verify transaction sources, defenders could potentially hijack the communication channel and redirect infected systems to safe infrastructure.
This campaign highlights a growing trend in cyberattacks: abusing legitimate tools and workflows instead of exploiting vulnerabilities. By embedding malicious behavior into trusted environments, attackers significantly reduce the chances of detection and increase the likelihood of successful compromise.
Security experts recommend closely monitoring unusual behavior from applications like Obsidian, restricting unauthorized plugin installations, and deploying advanced endpoint detection solutions. As attackers continue to evolve their tactics, organizations must focus not only on patching vulnerabilities but also on identifying abnormal behavior within trusted systems.
Recommended Cyber Technology News :
- Datacom Reveals Cyber Recovery Gaps in New Zealand Firms
- Commvault Unveils AI Tools to Strengthen Enterprise Data Security
- NYK Data Breach Hits Bunker Fuel Procurement System
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
