Back
Elastic Security Labs Finds Crypto Users Targeted Through Obsidian Plugins

Elastic Security Labs Finds Crypto Users Targeted Through Obsidian Plugins

According to Elastic Security Labs, attackers used social engineering on LinkedIn and Telegram and a malicious Obsidian setup to deploy stealthy malware against cryptocurrency and finance professionals.

ETH

Fact Check
The claim is strongly consistent with the validated article "New malware scam targets crypto users through Obsidian notes app," which explicitly says Elastic Security Labs described attackers using LinkedIn and Telegram social engineering plus a malicious Obsidian setup to target cryptocurrency and finance professionals. This matches the user’s wording closely. Corroboration is further supported by the searched Elastic source title "Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT" and the traced Elastic Security Labs X post URL, both of which point to Elastic as the origin of the story. Confidence is medium rather than high because direct fetching of the Elastic report and X post failed in this run, so the primary source could not be independently validated from page contents.
    Reference123
Summary

Elastic Security Labs disclosed on April 15 a social engineering campaign targeting workers in the financial and cryptocurrency sectors. The attackers posed as venture capital firms on LinkedIn and Telegram and lured targets into opening a malicious Obsidian vault. According to the report, the campaign abused Obsidian’s Shell Commands plugin to execute payloads without exploiting a software vulnerability. Elastic Security Labs said the operation deployed PHANTOMPULSE, a previously undocumented Windows remote access trojan, and that the malware used Ethereum transaction data as a blockchain-based command-and-control channel. The report described the malware as stealthy and said the campaign specifically targeted cryptocurrency and finance professionals.

Terms & Concepts
  • PHANTOMPULSE: A previously undocumented Windows remote access trojan identified by Elastic Security Labs in this campaign.
  • Shell Commands plugin: An Obsidian plugin that can run system commands; in this case, it was abused to launch malicious payloads without exploiting a vulnerability.
  • Ethereum transaction data: Data embedded in Ethereum blockchain transactions that the malware used as a command-and-control communication channel.