Obsidian's Vault of Villainy: When Your Notes App Gets a Little Too Collaborative

Crypto users are catching a fresh social engineering hustle that turns the beloved note-taking app Obsidian into something out of a villain's workshop. Elastic Security Labs spotted a campaign aimed squarely at crypto and finance degens, using "elaborate social engineering on LinkedIn and Telegram" to trick marks into running malware through community plugins. Because apparently, not even your markdown files are safe anymore.

The grifters dress up as venture capital firms on LinkedIn—probably with profile photos of dogs in suits—then slide into DMs to pivot conversations to Telegram about "cryptocurrency liquidity solutions." You know, business talk. Targets get handed login credentials for a cloud-hosted vault that the scammers control, which acts as the initial access vector. It's giving corporate espionage, but with more emojis.

Once opened in Obsidian, victims are told to enable community plugins sync. The trojanized plugins then silently execute the attack chain, doing their dirty work while you wonder why your portfolio suddenly looks like a Jackson Pollock painting.

The campaign drops a previously undocumented remote access trojan (RAT) called "PHANTOMPULSE," built for stealth, resilience, and comprehensive remote access. It works on both Windows and macOS—because why commit to just one operating system when you can be an equal opportunity malware distributor?

Here's where it gets artsy: PHANTOMPULSE uses blockchain-based command-and-control via at least three different networks. Transaction data tied to a specific wallet serves as the C2 mechanism, letting attackers receive instructions without relying on centralized infrastructure. Because blockchain transactions are immutable and publicly accessible, the malware can always locate its C2 server. Using three independent chains adds redundancy—if one chain's explorer gets blocked, the remaining two provide alternative paths. This thing has more backup plans than a crypto influencer trying to explain why their token rugged.

In 2025, $713 million was stolen via compromises of individual crypto wallets, according to Chainalysis. Blockchain transactions can't be reversed, making crypto users a perpetual target. At this point, getting rugged feels less like a risk and more like a rite of passage.

Elastic blocked the attack but warns that financial and crypto companies should recognize legitimate productivity tools can be weaponized. Organizations are advised to enforce app-level plugin policies to defend against similar tactics. Your notes app should probably stay boring—just you, some headings, and maybe a grocery list. Nothing more villainous than that.