IFIN Threat Intel

Found this report via HackerNews. Attackers are getting victims to download Obsidian, enable community plugins, and use a shared "vault" to automatically download and execute scripts from a malicious plugin. End result is the phantompulse RAT on the system.

IOCs include Obsidian.exe spawning powershell.exe or cmd.exe on Windows or Obsidian spawning osascript on MacOS.

Details:

https://cyber.netsecops.io/articles/obsidian-plugin-abused-in-campaign-to-deploy-phantom-pulse-rat/



Discuss this on our forum.
Obsidian Plugin Abused in Social Engineering Campaign to Deliver New PHANTOMPULSE RAT

A sophisticated campaign is abusing the Obsidian note-taking app to deliver a new RAT, PHANTOMPULSE, to targets in the finance and crypto sectors using social engineering and malicious plugins.

CyberNetSec.io
May 11 at 2:11amWeb