TLDR
- Hackers are misusing Obsidian plugins to spread stealth malware on devices
- Fake LinkedIn venture capital scams push victims to malicious Obsidian plugins
- PHANTOMPULSE malware spreads via Obsidian plugins and cloud lockers
- Crypto users were targeted by Telegram using Obsidian Plugins attack
- A new scam uses Obsidian plugins to bypass security and steal access
Cryptocurrency users face a growing threat as attackers exploit Obsidian plugins to spread stealthy malware through social engineering methods. The campaign targets finance professionals and is spread across LinkedIn and Telegram conversations. Furthermore, misuse of Obsidian plugins allows attackers to bypass security tools and execute hidden code.
The social engineering campaign uses Obsidian plugins as an entry point
Attackers initiate communication via LinkedIn, posing as… Venture capital Companies targeting crypto professionals. They later shift conversations to Telegram, where many of the fake partners create a trusted working environment. They convince targets to access shared dashboards using Obsidian plugins.
Attackers present Obsidian as a legitimate database tool for financial collaboration. They provide login credentials to access a cloud-hosted vault controlled by malicious actors. Once the victim opens the vault, the attackers send instructions to enable Obsidian plugin synchronization.
This step triggers an execution chain, where Obsidian plugins infected with the Trojan silently run malicious scripts. The attack uses built-in plugin features to execute code without raising alerts. Attackers exploit the behavior of trusted software instead of using traditional malware delivery methods.
PHANTOMPULSE malware expands the cross-platform threat
Security researchers at Elastic Security Labs have identified a new remotely accessible Trojan called PHANTOMPULSE. The malware runs on Windows and macOS with separate execution paths. Obsidian Plugins is used as the primary access vector to deploy payloads.
On Windows, Malware It uses encrypted loaders and in-memory execution techniques to avoid detection. It relies on AES-256 encryption and reflective loading to maintain anonymity during execution. macOS systems receive an obscure AppleScript dropper with a fallback command system.
PHANTOMPULSE offers a decentralized driving system that uses blockchain transactions for communication. It retrieves instructions from blockchain data linked to the wallet across multiple networks. As a result, the malware avoids dependence on central servers and maintains continuity even in the face of interruption.
Rising crypto threats highlight vulnerability in trusted tools
Crypto platforms They remain attractive targets due to their irreversible blockchain transactions and high-value wallets. In 2025, attackers stole more than $713 million from individual wallets, highlighting the growing risks. Obsidian plugins provide attackers with a new way to bypass standard defenses.
The campaign demonstrates how legitimate productivity tools can become attack vectors when misused. Attackers exploit plugin ecosystems to run arbitrary code without triggering traditional security alerts. Organizations should monitor and restrict the use of third-party plugins in critical environments.
Security teams now recommend enforcing strict plugin policies and restricting access to the external repository. They also advise checking connection sources before installing or enabling Obsidian plugins. Awareness and control remain key defenses against sophisticated social engineering threats.
