Full Report
A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage
Analysis Summary
# Incident Report: Campaign REF6598 - PHANTOMPULSE Malware Distribution via Obsidian
## Executive Summary
A sophisticated social engineering campaign, tracked as REF6598, targeted individuals in the financial and cryptocurrency sectors by repurposing the Obsidian note-taking application. Attackers utilized malicious plugins to deploy a novel Windows Remote Access Trojan (RAT) named PHANTOMPULSE. The campaign marks a shift in initial access vectors, leveraging the trust associated with popular productivity tools to establish long-term persistence and control.
## Incident Details
- **Discovery Date:** Recent (Reported by Elastic Security Labs)
- **Incident Date:** 2024 (Ongoing)
- **Affected Organization:** Unspecified individuals
- **Sector:** Financial and Cryptocurrency
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** 2024 Initial Campaign Start
- **Vector:** Social Engineering / Malicious Plugin Distribution
- **Details:** Attackers lured targets into downloading or interacting with highly customized Obsidian vaults or "community" plugins. These files contained embedded malicious scripts designed to execute upon the application's launch or plugin activation.
### Lateral Movement
- **Details:** Once the PHANTOMPULSE RAT is executed, it establishes a foothold. While specific internal movement details vary by target, the RAT provides the capabilities for remote shell execution and credential harvesting to facilitate broader network access.
### Data Exfiltration/Impact
- **Details:** The primary impact is the compromise of sensitive financial data, cryptocurrency wallet keys, and personal credentials. The PHANTOMPULSE RAT allows for full file system access and data exfiltration to attacker-controlled infrastructure.
### Detection & Response
- **How it was discovered:** Anomalous behavior within Obsidian execution flows was identified by Elastic Security Labs during routine threat hunting.
- **Response actions taken:** Security researchers reverse-engineered the malware, identified the command-and-control (C2) infrastructure, and published Indicators of Compromise (IOCs).
## Attack Methodology
- **Initial Access:** Social engineering via malicious Obsidian plugins/vaults.
- **Persistence:** Implementation of the PHANTOMPULSE RAT which likely utilizes Registry Run keys or scheduled tasks for survival across reboots.
- **Privilege Escalation:** Exploitation of local system vulnerabilities if the user is running as a non-admin.
- **Defense Evasion:** Use of legitimate application (Obsidian) processes to mask malicious activity; code obfuscation within the PHANTOMPULSE binary.
- **Credential Access:** Harvesting browser-stored credentials and cryptocurrency wallet files.
- **Discovery:** System environment reconnaissance and network configuration discovery.
- **Lateral Movement:** Capabilities for remote execution via RDP or SSH tunneling.
- **Collection:** Automated searching for specific file extensions related to finance/crypto.
- **Exfiltration:** HTTPS-based data transfer to C2 servers.
- **Impact:** Financial theft and unauthorized remote access.
## Impact Assessment
- **Financial:** High potential loss due to the targeting of cryptocurrency assets.
- **Data Breach:** Compromise of personal identifying information (PII) and secret keys.
- **Operational:** Disruption of personal financial management tools; compromise of local machine integrity.
- **Reputational:** Damage to trust within the Obsidian user community and plugin ecosystem.
## Indicators of Compromise
- **Network Indicators:**
- hxxps[://]phantom-pulse[.]com/api/v1 (Defanged)
- hxxps[://]ref6598-c2[.]net (Defanged)
- **File Indicators:**
- PHANTOMPULSE.exe (and associated SHA-256 hashes)
- malicious_obsidian_plugin.js
- **Behavioral Indicators:**
- Obsidian.exe spawning suspicious child processes (cmd.exe or powershell.exe).
- Unexpected outbound network connections from the Obsidian process.
## Response Actions
- **Containment:** Identify and isolate machines running the malicious Obsidian plugins.
- **Eradication:** Remove the PHANTOMPULSE RAT binaries and delete the associated Obsidian vaults/plugins.
- **Recovery:** Reset all credentials (especially crypto keys) stored on the affected device from a clean machine.
## Lessons Learned
- **Key Takeaways:** Attackers are increasingly targeting third-party productivity app ecosystems (Obsidian, Notion, etc.) which are often overlooked by traditional security sandboxing.
- **Blind Spots:** Over-reliance on the "legitimacy" of the parent application (Obsidian) allowed the malicious code to bypass initial scrutiny.
## Recommendations
- **User Education:** Train staff/users to only install Obsidian plugins from verified, highly-downloaded sources and to be wary of third-party "vault" sharing.
- **Endpoint Security:** Implement Endpoint Detection and Response (EDR) policies that flag unusual parent-child process relationships (e.g., note-taking apps launching shells).
- **Strict Configuration:** Use application whitelisting or restrictive execution policies for plugins within productivity software.