Obsidian plugin scam lures crypto pros via LinkedIn, Telegram
Scammers used LinkedIn and Telegram to push crypto professionals to attacker-run Obsidian vaults that installed the PHANTOMPULSE RAT using community plugins.
Elastic Security Labs reported on Tuesday that scammers contacted crypto and finance professionals on LinkedIn and Telegram and persuaded them to open attacker-controlled Obsidian cloud vaults. When victims enabled community plugin sync, the plugins delivered PHANTOMPULSE, a previously undocumented remote access trojan that communicates with operators through transactions on multiple blockchains.
The campaign used detailed social engineering. Attackers posed as a venture capital firm on LinkedIn, moved conversations to Telegram, and discussed financial services and cryptocurrency liquidity solutions to build credibility. Targets were told to use Obsidian as a shared company database and were given credentials to connect to a cloud-hosted vault controlled by the attackers. “This vault is the initial access vector,” the report states.
After a victim opened the malicious vault and enabled community plugins, trojanized plugins executed an attack chain without visible prompts. The campaign affected both Windows and macOS devices. The trojan, named PHANTOMPULSE by the researchers, was disguised as legitimate software and gave operators remote control of infected machines while aiming to remain stealthy.
PHANTOMPULSE uses an unconventional command-and-control method that reads on-chain transaction data tied to a specific wallet to receive instructions. “Because blockchain transactions are immutable and publicly accessible, the malware can always locate its C2 without relying on centralized infrastructure,” the report notes. The malware checks at least three different blockchain networks so operators can continue to reach infected hosts if one chain or its explorer is blocked.
Elastic reported it blocked the campaign. The report cites Chainalysis data showing $713 million was stolen in 2025 through compromises of individual crypto wallets.
The researchers recommended that financial and crypto firms enforce app-level plugin policies, restrict automatic plugin sync, and be cautious about unsolicited recruitment or business outreach that requests use of specific third-party tools or access to shared resources. Obsidian supports community-developed plugins and cloud-hosted vaults; when plugin sync is enabled, community plugins can run code on a user’s device.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
