Obsidian plugin was abused to deploy a remote access trojan
A new, sophisticated Remote Access Trojan (PHANTOMPULSE) is leveraging social engineering and Obsidian plugins to target financial and crypto professionals. The malware's innovative use of the Ethereum blockchain for command-and-control adds a layer of resilience, making it particularly difficult to disrupt. This incident sparks significant debate on Hacker News regarding application security models, user responsibility, and the inherent risks of permissive plugin architectures.
The Lowdown
Security researchers have uncovered a highly targeted social engineering campaign (REF6598) that exploits the popular note-taking application Obsidian to deploy a previously undocumented Remote Access Trojan (RAT) called PHANTOMPULSE. The attack primarily targets individuals in the financial and cryptocurrency sectors across both Windows and macOS.
The attack chain involves several key steps:
- Social Engineering: Threat actors impersonate venture capitalists on platforms like LinkedIn and Telegram, building trust with targets.
- Malicious Lure: Victims are invited to collaborate on a seemingly innocuous shared Obsidian vault.
- Plugin Activation: The core of the exploit relies on tricking the victim into manually enabling the "Installed community plugins" synchronization feature within the shared vault. This action activates malicious versions of legitimate Obsidian plugins (like 'Shell Commands' and 'Hider').
- Payload Delivery: The activated plugins execute scripts (PowerShell on Windows, AppleScript on macOS) to drop a loader, PHANTOMPULL, which then decrypts and launches the PHANTOMPULSE RAT directly into memory to evade detection.
- Advanced C2: PHANTOMPULSE exhibits high sophistication by using the Ethereum blockchain to dynamically resolve its command-and-control (C2) server address, embedding C2 information within blockchain transaction data. This decentralized method makes the malware's infrastructure extremely resilient to takedowns.
Once active, PHANTOMPULSE can capture sensitive information such as keystrokes, screenshots, and files, and execute arbitrary commands, posing a significant threat to financial data, intellectual property, and cryptocurrency assets. The incident underscores the evolving sophistication of social engineering tactics and the need for rigorous user training and application security measures.
The Gossip
Socially Engineered Security
Commenters fiercely debated whether this incident highlights a fundamental flaw in Obsidian's plugin architecture or is simply a successful social engineering attack that bypassed user-activated security warnings. Some argued Obsidian includes sufficient protections, and users who manually disable them are responsible. Others countered that any system requiring users to consciously lower security for basic collaboration, especially with shared vaults, is inherently problematic and makes the platform unsuitable for sensitive data.
Plugin Peril: Obsidian's Permissive Practices
A significant portion of the discussion focused on Obsidian's plugin security model, or lack thereof. Critics highlighted Obsidian's own documentation stating that plugins are not sandboxed and have full access to the user's computer. This led to accusations of 'inexcusable negligence' and calls for more secure plugin architectures, with WebAssembly (WASM) / WASI being suggested as a potential sandboxing solution. Some noted that while Obsidian is transparent about these risks, the heavy reliance on community plugins makes the design practically insecure.
Engineering Ethos: From D&D to DevOps
A tangential but lively sub-discussion emerged around the perceived competence of Obsidian's founders. One commenter provocatively dismissed them as 'D&D nerds, not competent engineers' and claimed Obsidian is 'malpractice' for enterprise use. This quickly drew retorts from others defending 'nerds' as often highly competent engineers and criticizing the ad hominem attack, emphasizing the need for technical arguments rather than stereotypes.