Security researchers have uncovered a PHANTOMPULSE RAT campaign targeting financial and cryptocurrency sectors through a novel social engineering attack. Attackers build trust via LinkedIn and Telegram before directing victims to malicious shared Obsidian vaults. The compromise occurs when users enable seemingly legitimate community plugins that execute code to deploy the RAT.

PHANTOMPULSE demonstrates advanced techniques by using the Ethereum blockchain to resolve its command-and-control server address, creating a decentralized infrastructure resistant to takedowns. The attack affects both Windows and macOS platforms through different scripts—PowerShell on Windows and AppleScript on macOS—before loading the RAT directly into memory to evade detection.

The attack poses significant risks to financial professionals, potentially enabling theft of sensitive data, trading strategies, and cryptocurrency credentials. Organizations should monitor for Obsidian spawning command-line processes and implement application control policies to restrict unapproved plugin installations, particularly in high-risk industries where this attack is actively targeting.