Security researchers at Elastic Security Labs have warned that attackers are abusing Obsidian’s community plugin system to deliver malware and seize control of victims’ machines.
According to the report, the campaign uses targeted social engineering on LinkedIn and Telegram to reach people working in crypto and finance. Operators impersonate a venture capital firm and shift conversations to Telegram, claiming to discuss financial services or crypto liquidity solutions. They then ask targets to collaborate using Obsidian as a shared company vault and provide login credentials for a cloud-hosted vault that the attackers control.
The malicious vault is the initial infection vector. When a target opens the shared vault in Obsidian and is instructed to enable community plugin sync, the attackers supply trojanized plugins. These plugins appear legitimate but execute code silently when the shared vault is accessed. The campaign has impacted both Windows and macOS systems and drops a previously undocumented remote access trojan (RAT) that Elastic has named PHANTOMPULSE.
PHANTOMPULSE is disguised to look like legitimate software and gives operators broad remote access while trying to remain stealthy and resilient. A notable feature is its decentralized command-and-control: the RAT retrieves instructions via on-chain transaction data tied to a specific wallet across at least three different blockchain networks. That approach makes the control mechanism infrastructure-agnostic and redundant—if one chain is disrupted, others can still be used to transmit commands.
Elastic said it was able to block the attack, but the incident highlights how legitimate productivity tools and community-run plugin ecosystems can be abused to bypass conventional security controls. The researchers recommend that financial and crypto organizations treat collaboration apps as potential attack surfaces and enforce app-level plugin policies or restrictions.
The campaign fits a wider trend of adversaries targeting crypto users. Chainalysis reported that $713 million was stolen through individual wallet compromises in 2025, underlining the urgency of stronger operational security and caution when using third-party plugins and shared resources.
Key takeaways:
– Be wary of unsolicited recruitment or investment outreach on LinkedIn and Telegram that asks you to move to private channels or collaborate in shared apps.
– Do not enable community or third-party plugins in productivity apps unless they come from trusted sources and your organization has policy controls in place.
– Treat shared vaults and cloud-hosted collaboration spaces as potential malware vectors.
– Crypto and finance teams should adopt strict app/plugin governance and consider blocking or closely monitoring plugin sync features.
Elastic’s findings underscore that attackers increasingly combine social engineering with supply-chain style abuse of popular tools to reach high-value targets in the crypto and finance sectors.