Critical Obsidian Shell Commands Plugin Vulnerability Lets Attackers Run Malware
Key Takeaways A new attack campaign, REF6598, is leveraging the legitimate Obsidian Shell Commands community plugin to deploy cross-platform malware. The attacks target individuals in the financial...
Key Takeaways
- A new attack campaign, REF6598, is leveraging the legitimate Obsidian Shell Commands community plugin to deploy cross-platform malware.
- The attacks target individuals in the financial and cryptocurrency sectors through sophisticated social engineering tactics.
- The plugin is weaponized to execute malicious code automatically when an attacker-controlled Obsidian vault is opened, bypassing traditional software vulnerabilities.
- The campaign deploys a new Windows RAT, PHANTOMPULSE, and an AppleScript dropper for macOS, both designed for stealthy execution and C2 communication.
- No official patch is required for Obsidian itself, but users must be vigilant about plugin sources and social engineering attempts.
Cybersecurity researchers have uncovered a novel attack vector exploiting a popular productivity tool, the Obsidian Shell Commands plugin, to deliver sophisticated cross-platform malware. This method allows threat actors to execute malicious payloads across Windows and macOS systems by weaponizing a trusted community plugin, as detailed in a recent report.
Table Of Content
The attackers effectively bypass typical software vulnerabilities by configuring the Obsidian Shell Commands plugin to run arbitrary shell commands. This allows them to execute malicious code silently on victims’ machines, leveraging the plugin’s intended functionality for nefarious purposes.
REF6598 Targets Financial and Crypto Sectors
Dubbed REF6598, the campaign specifically targets professionals within the financial and cryptocurrency industries. The initial approach involves elaborate social engineering, where attackers impersonate venture capital representatives on LinkedIn. Once a target engages, communications are steered to a Telegram group, where additional fake “partners” are introduced to enhance credibility.
Victims are then instructed to use Obsidian, presented as the venture firm’s proprietary management database. They are provided with credentials to access a cloud-hosted vault entirely controlled by the attackers. This seemingly legitimate interaction sets the stage for the compromise.
Elastic Security Labs researchers, including Salim Bitam, Samir Bousseaden, and Daniel Stepanic, identified the campaign after an Elastic Defend alert flagged suspicious PowerShell activity originating from Obsidian. Their investigation confirmed that the Shell Commands plugin, pre-configured within the malicious vault, was set to execute attacker-defined commands immediately upon the vault’s opening, requiring no further user interaction.
Multi-Platform Malware Deployment
The REF6598 campaign is designed for both Windows and macOS environments. On Windows, the attack chain culminates in the deployment of PHANTOMPULSE, a previously undocumented Remote Access Trojan (RAT). This full-featured backdoor is capable of extensive surveillance and control, including keylogging, screenshot capture, process injection, and privilege escalation.
For macOS systems, the attack employs an obfuscated AppleScript dropper, which establishes command-and-control (C2) communication via a Telegram-based fallback mechanism. Both Windows and macOS payloads are engineered to blend with normal application behavior, making them challenging for conventional detection methods to identify.
From Vault Sync to Final Payload
The infection process begins when a victim opens the attacker-controlled Obsidian vault and enables community plugin synchronization. At this point, the trojanized Shell Commands plugin’s data.json configuration file is silently downloaded and triggers execution.
On Windows, the plugin initiates two Invoke-Expression calls containing Base64-encoded strings. These calls communicate with a staging server at 195.3.222[.]251 to retrieve a PowerShell script. This script then utilizes BitsTransfer to download a 64-bit executable, syncobs.exe, while providing status updates to the C2 server with color-coded messages like “GREEN FILE FOUND ON PC” or “RED DOWNLOAD ERROR.”
The downloaded executable, dubbed PHANTOMPULL by researchers, decrypts an AES-256-CBC-encrypted payload from its own resources and loads it directly into memory using reflective loading. This “fileless” approach ensures the final malware stage is never written to disk, complicating detection by file-based scanning tools. PHANTOMPULL also incorporates a timer queue callback with a 50-millisecond delay, a common anti-sandbox technique. Furthermore, the loader includes dead code blocks and a fake integrity check function, designed to mislead and waste the time of reverse engineers.
PHANTOMPULSE, the ultimate RAT payload, employs a unique C2 resolution technique that leverages public Ethereum blockchain data. The malware queries Blockscout APIs across three distinct blockchain networks, extracting XOR-encrypted C2 URLs from the input fields of transactions linked to a hardcoded wallet address. Researchers identified a critical flaw in this design: since PHANTOMPULSE always selects the most recent transaction without sender verification, anyone with the wallet address and XOR key could submit a new transaction to redirect all infected hosts to a sinkhole server, effectively neutralizing the threat actors’ control.
What You Should Do
- Exercise Extreme Caution with Plugins: Avoid installing community plugins from untrusted sources. Always verify the legitimacy and reputation of any plugin before enabling it in Obsidian or similar applications.
- Implement Strong Social Engineering Awareness: Educate employees, especially those in financial and cryptocurrency roles, about sophisticated phishing and social engineering tactics, particularly those involving professional networking platforms like LinkedIn and encrypted messaging apps.
- Monitor Electron-based Application Behavior: Organizations should enhance monitoring for unusual child process creation originating from Electron-based applications like Obsidian. Behavioral endpoint detection and response (EDR) solutions are crucial for this.
- Enforce Plugin Policies: Where possible, establish and enforce clear policies regarding the installation and synchronization of community plugins in productivity tools.
- Block Known Infrastructure: Update network defenses to block known malicious infrastructure, including the IP address
195.3.222[.]251and domainpanel.fefea22134[.]net. - Utilize Detection Signatures: Security teams should integrate Elastic’s published YARA rules for PHANTOMPULL and PHANTOMPULSE into their detection systems to identify these specific threats across their environments.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.