PHANTOMPULSE RAT Rides Malicious Obsidian Plugins Into Finance and Crypto Targets

Attackers are weaponizing the plugin ecosystem of Obsidian, the popular note-taking application, to deliver a remote access trojan dubbed PHANTOMPULSE. The campaign is narrowly aimed at finance and cryptocurrency operators, suggesting operators chasing high-value credential and wallet access rather than opportunistic volume.

Obsidian’s community plugin model gives third-party code broad access to the local environment once installed, which is the pivot point the operators abuse. By trojanizing or impersonating legitimate plugins, they convert a trusted productivity surface into an execution channel that bypasses typical email and browser-based defenses.

The pattern extends a broader trend of adversaries targeting developer and power-user tooling - IDE extensions, package registries, and now knowledge-work plugins - as softer alternatives to hardened enterprise perimeters. Defenders in crypto-adjacent environments should treat plugin installation as a privileged action, audit installed plugins, and monitor endpoints running Obsidian for anomalous outbound traffic.