Crypto users have been warned about a social engineering campaign that abuses Obsidian’s community plugin ecosystem to deploy malware and take control of victims’ devices.
Elastic Security Labs said in a report that attackers target people in crypto and finance using elaborate social engineering on LinkedIn and Telegram. Posing as a venture capital firm, they move conversations to Telegram under the pretense of discussing financial services or cryptocurrency liquidity solutions, then ask targets to use Obsidian as a shared company database. Victims receive login details for a cloud-hosted vault controlled by the attackers.
The malicious vault is the initial access vector. Once opened in Obsidian, targets are instructed to enable community plugins sync; the attackers supply trojanized plugins that silently execute code when the shared vault is opened. The campaign affects both Windows and macOS and deploys a previously undocumented remote access trojan (RAT) dubbed PHANTOMPULSE.
PHANTOMPULSE is disguised as legitimate software and provides comprehensive remote access with stealth and resilience. Notably, Elastic found the RAT uses a decentralized command-and-control mechanism spanning at least three blockchain networks: on-chain transaction data tied to a specific wallet is used to locate and receive instructions from the operator. This on-chain C2 is infrastructure-agnostic and redundant—if one chain is blocked or unavailable, others can still provide instruction resolution.
Elastic said it was able to block the attack but warned the campaign illustrates how attackers exploit legitimate productivity tools and community-run plugin systems to bypass traditional security controls. Financial and crypto organizations are advised to enforce app-level plugin policies and treat productivity tools as potential attack vectors.
The campaign is part of a broader trend targeting crypto users—an attractive target because blockchain transactions are irreversible. Chainalysis reported $713 million stolen via individual wallet compromises in 2025, underscoring the stakes for better operational security and cautious handling of third-party plugins and shared resources.