BlockBeats News, April 15th, cybersecurity research firm Elastic Security Labs disclosed a new type of social engineering attack targeting professionals in the financial and cryptocurrency industries. The attackers, posing as a venture capital firm on LinkedIn and Telegram, tricked targets into opening an Obsidian note library with a built-in malicious payload, leading to the deployment of the previously undocumented Windows remote access trojan, PHANTOMPULSE.

This attack did not rely on exploiting any software vulnerabilities but instead abused Obsidian's Shell Commands plugin to automatically execute malicious code when the note library was opened; the macOS version utilized an obfuscated AppleScript dropper in conjunction with a Telegram channel as a secondary command and control server, while the Windows version leveraged Ethereum transaction data for blockchain-based C2 address resolution.