### Initial Access via LinkedIn and Telegram The attack begins with elaborate social engineering tactics on **LinkedIn** and **Telegram**. Threat actors pose as a venture capital firm, approaching potential victims on **LinkedIn** and then moving the conversation to a **Telegram** group to establish credibility. ### Abusing Obsidian's Community Plugins The target is instructed to use **Obsidian** to access a shared dashboard by connecting to a cloud-hosted vault. This vault triggers the infection sequence when opened, prompting the user to enable "Installed community plugins" sync, which executes malicious code. Researchers Salim Bitam, Samir Bousseaden, and Daniel Stepanic from **Elastic Security Labs** highlighted the abuse of **Obsidian**'s community plugin ecosystem, specifically the [Shell Commands](https://github.com/Taitava/obsidian-shellcommands) and [Hider](https://github.com/kepano/obsidian-hider) plugins. These plugins silently execute code when a victim opens the malicious vault. The attacker must convince the target to manually enable the community plugin sync, as it's disabled by default. The **Hider** plugin is used in conjunction with **Shell Commands** to conceal certain user interface elements of **Obsidian**. ### PHANTOMPULSE RAT Deployment On Windows, the executed commands invoke a **PowerShell** script to drop an intermediate loader called **PHANTOMPULL**, which decrypts and launches **PHANTOMPULSE** in memory. **PHANTOMPULSE** is an AI-generated backdoor that uses the **Ethereum** blockchain to resolve its command-and-control (C2) server. It fetches the latest transaction associated with a hard-coded wallet address ([https://etherscan.io/address/0xc117688c530b660e15085bF3A2B664117d8672aA](https://etherscan.io/address/0xc117688c530b660e15085bF3A2B664117d8672aA)). The malware uses **WinHTTP** for communication, enabling it to send system telemetry data, fetch commands, transmit execution results, upload files/screenshots, and capture keystrokes. Supported commands include: * `inject`: Inject shellcode/DLL/EXE into the target process. * `drop`: Drop a file to disk and execute it. * `screenshot`: Capture and upload a screenshot. * `keylog`: Start/stop a keylogger. * `uninstall`: Initiate removal of persistence and perform cleanup. * `elevate`: Escalate privileges to SYSTEM via the [COM elevation moniker](https://learn.microsoft.com/en-us/windows/win32/com/the-com-elevation-moniker). * `downgrade`: Transition from SYSTEM to elevated admin. ### macOS Attack Vector On macOS, the **Shell Commands** plugin delivers an obfuscated **AppleScript** dropper that iterates over a hard-coded domain list, using **Telegram** as a dead drop resolver for fallback C2 resolution. This allows for easy rotation of C2 infrastructure. The dropper script contacts the C2 domain to download and execute a second-stage payload via `osascript`. The exact nature of this payload is currently unknown as the C2 servers are offline. The intrusion was detected and blocked before the adversary could achieve their objectives. ### Conclusion **Elastic** concludes that **REF6598** demonstrates how threat actors are creatively abusing trusted applications for initial access and employing targeted social engineering. By exploiting **Obsidian**'s community plugin ecosystem, attackers bypass traditional security controls, relying on the application's intended functionality to execute arbitrary code.