Attackers initiate contact with targets on LinkedIn while posing as representatives of a venture capital firm.
Crypto News
A social engineering campaign targeting crypto and finance professionals has been identified by Elastic Security Labs, using the note-taking app Obsidian to deploy malware capable of taking full control of victims' devices. The firm published its findings in a report on Tuesday.
Attackers initiate contact with targets on LinkedIn while posing as representatives of a venture capital firm. They steer conversations to Telegram, where they frame discussions around financial services and cryptocurrency liquidity solutions to establish a plausible business context.
Victims are then asked to use Obsidian, which the attackers describe as their company's internal database for accessing a shared dashboard. A login is provided to connect to a cloud-hosted vault controlled by the attackers.
Once the target opens the vault in Obsidian and enables community plugins, trojanized plugins silently execute an attack chain on the device. Elastic described the vault as "the initial access vector" and said the attack works on both Windows and macOS systems.
Both variants deploy a previously undocumented remote access trojan that Elastic named PHANTOMPULSE. The malware is disguised as legitimate software and gives attackers comprehensive remote control over the infected device, built for stealth and resilience according to Elastic.
PHANTOMPULSE uses a decentralized command-and-control mechanism that operates across at least three separate blockchain networks, reading on-chain transaction data tied to a specific wallet to connect to the attacker and receive instructions. Elastic said that this method gives the operator an infrastructure-agnostic setup that does not rely on centralized servers, and that using three independent chains adds redundancy in case one network becomes inaccessible.
Elastic said it was able to block the attack and noted that abusing Obsidian's community plugin ecosystem allowed the attackers to bypass traditional security controls entirely by using the application's own intended functionality. The firm said financial and crypto companies should enforce app-level plugin policies and treat legitimate productivity tools as potential attack vectors. In 2025, $713 million was stolen through compromises of individual crypto wallets, according to Chainalysis.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
