Threat actor REF6598 is targeting the financial and cryptocurrency sectors using social engineering to trick victims into opening a malicious Obsidian vault. The attack leverages Obsidian's community plugins to execute cross-platform attack chains, culminating in the deployment of the PHANTOMPULSE RAT on Windows and an AppleScript dropper on macOS.