Hackers have found a new way into crypto wallets, and this time, the entry point is a productivity tool most people would never think to distrust.
Elastic Security Labs published a report on Tuesday detailing a previously undocumented attack campaign, internally tracked as REF6598, that weaponizes Obsidian, a widely used note-taking app popular among developers and researchers, to deliver malware on both Windows and macOS devices.
The targets are individuals working in crypto and finance, and the approach is unsettlingly low-tech at the front end, even as the malware itself is highly sophisticated.
The campaign begins on LinkedIn, where attackers pose as representatives of a venture capital firm. Once initial contact is made, the conversation migrates to Telegram, where additional fake “partners” are introduced to add credibility.
The discussion centers on cryptocurrency liquidity solutions, a plausible enough topic to keep a finance professional engaged. Then comes the ask: use Obsidian to access a shared company dashboard, framed as an internal management database.
The target is given login credentials for a cloud-hosted Obsidian vault controlled entirely by the attackers. When they open it, they’re instructed to enable community plugin sync, a legitimate Obsidian feature. That single step is what triggers everything.
A trojan hidden in plain functionality
Two community plugins, Shell Commands and Hider, are at the center of the attack. Shell Commands is a legitimate plugin that lets users run platform-specific commands based on triggers like app startup. In the attackers’ vault, it has been preconfigured to silently execute malicious code the moment the vault loads.
The Hider plugin, meanwhile, conceals Obsidian’s interface elements to keep the victim from noticing anything unusual. What makes this particularly hard to catch is that no software vulnerability is being exploited. Obsidian isn’t broken. The plugins aren’t fake.
The attackers are simply using the app’s own intended features to execute arbitrary code, which means traditional antivirus tools looking for suspicious binaries or unauthorized processes may not raise any flags at all.
“By abusing Obsidian’s community plugin ecosystem rather than exploiting a software vulnerability, the attackers bypass traditional security controls entirely,” Elastic noted in its report, “relying on the application’s intended functionality to execute arbitrary code.”
On Windows, the attack chain deploys a previously unknown remote access trojan that Elastic has named PHANTOMPULSE, loaded through an intermediate loader called PHANTOMPULL.
The loader uses AES-256-CBC encryption, reflective in-memory execution, and a timer queue callback to dodge sandbox detection. On macOS, the chain deploys an obfuscated AppleScript dropper that establishes persistence via a LaunchAgent, ensuring it survives reboots.
Once PHANTOMPULSE is running, attackers have sweeping control. The malware can capture keystrokes, take screenshots, inject code into other processes, escalate system privileges, and exfiltrate data. It sends a comprehensive heartbeat to attacker-controlled servers, including CPU model, GPU, RAM, installed applications, antivirus products, and the victim’s public IP address.
Perhaps the most technically striking element is how PHANTOMPULSE locates its command-and-control server. Rather than relying on a static domain, which can be blocked or taken down, the malware queries three separate public blockchain networks: Ethereum, Base, and Optimism.
It reads the most recent transaction on a hardcoded wallet address and extracts the C2 URL from the transaction’s input data, XOR-decrypting it using the wallet address as the key. Elastic noted this gives the operators “infrastructure-agnostic rotation capability,” since publishing a new C2 server requires nothing more than submitting a blockchain transaction. The use of three chains adds further redundancy, if one explorer is blocked, the others remain available.
Elastic researchers also identified a flaw in this mechanism: because the malware selects whichever transaction is most recent, a third party who recovers the wallet address and XOR key from the binary could theoretically submit their own transaction and redirect all infected devices to a sinkhole, effectively hijacking the attacker’s own botnet.
With that being said, crypto wallet compromises accounted for $713 million in losses in 2025, according to Chainalysis, and the attack surface is only growing as more professionals in the sector rely on productivity tools integrated into their daily workflows. The stablecoin market alone now exceeds $300 billion, making the finance-and-crypto space an ever more attractive hunting ground.
Elastic said it was able to block the attack before PHANTOMPULSE could execute in the observed intrusion. The firm recommended that financial and crypto organizations enforce app-level plugin policies, monitor for child processes spawned by Obsidian, and treat any unsolicited request to enable community plugin sync as a potential red flag, regardless of how legitimate the source appears.