Crypto users are being targeted in a new social engineering scam that exploits the note-taking app Obsidian to deploy device-controlling malware, according to Elastic Security Labs.
The campaign uses LinkedIn and Telegram to impersonate venture capital firms and lure victims into opening shared Obsidian vaults embedded with malicious plugins.
“This vault is the initial access vector,”
Said Elastic Security Labs, warning that:
“Once users enable plugins, the trojanised plugins silently execute the attack chain.”
The attack installs a remote access trojan called PHANTOMPULSE, which gives hackers full control over infected devices across both Windows and macOS systems.
The malware uses blockchain-based infrastructure for command-and-control, allowing it to receive instructions through onchain data without relying on traditional servers.
Elastic said the technique enables attackers to bypass conventional security tools by abusing legitimate app features, highlighting growing sophistication in crypto-targeted scams.
The report underscores the need for stricter security practices, as attackers increasingly exploit trusted productivity tools to gain access to sensitive financial data and crypto wallets.