PHANTOMPULSE RAT
A sophisticated social engineering campaign has emerged, exploiting Obsidian as an initial access vector to deploy a previously undocumented Windows remote access trojan known as PHANTOMPULSE. The campaign specifically targets individuals operating within the financial and cryptocurrency sectors, leveraging trust in legitimate tools to bypass traditional security expectations.
Table of Contents
Operation REF6598: Deception Through Professional Networks
Designated as REF6598 by cybersecurity researchers, this campaign employs advanced social engineering techniques via LinkedIn and Telegram. Targets are initially approached under the pretense of collaboration with a venture capital firm. Conversations are subsequently transitioned to Telegram group chats populated with impersonated 'partners,' creating a convincing façade of legitimacy.
Within these groups, discussions revolve around financial services and cryptocurrency liquidity strategies, reinforcing credibility. Victims are ultimately instructed to access a shared dashboard through a cloud-hosted Obsidian vault using provided credentials.
The Hidden Trigger: Malicious Vault Activation
The infection chain is activated when the victim opens the shared vault within Obsidian. At this stage, the user is prompted to enable synchronization for 'Installed community plugins,' a feature disabled by default. This manual action is critical, as it allows embedded malicious configurations to execute.
Attackers exploit legitimate plugins, specifically Shell Commands and Hider, to run unauthorized code. While Shell Commands facilitates execution, Hider conceals interface elements such as the status bar and tooltips, reducing the likelihood of detection. The attack hinges entirely on convincing the user to enable plugin synchronization, thereby bypassing built-in safeguards.
Evasion by Design: Living Off Legitimate Features
This campaign stands out for its strategic abuse of trusted application functionality rather than exploiting software vulnerabilities. Key characteristics include:
- Malicious payloads are embedded within JSON configuration files, making them less likely to trigger traditional antivirus detection
- Execution is performed through a signed Electron-based application, complicating parent-process-based detection
- Persistence and command execution rely entirely on legitimate plugin mechanisms within the application
Windows Infection Chain: From Loader to Memory-Resident Backdoor
On Windows systems, the attack initiates a PowerShell-based execution chain that deploys an intermediate loader named PHANTOMPULL. This loader decrypts and launches PHANTOMPULSE directly in memory, avoiding disk-based detection.
PHANTOMPULSE incorporates blockchain-based Command-and-Control (C2) resolution by querying the Ethereum network. It retrieves the latest transaction linked to a hard-coded wallet address to dynamically determine its C2 server. Communication is conducted via WinHTTP, enabling data exfiltration, command retrieval, and execution reporting.
The malware supports a broad set of remote control capabilities:
- inject: injects shellcode, DLLs, or executables into processes
- drop: writes and executes files on disk
- screenshot: captures and uploads screen data
- keylog: enables or disables keystroke logging
- uninstall: removes persistence mechanisms and cleans artifacts
- elevate: escalates privileges to SYSTEM using COM elevation
- downgrade: reduces privileges from SYSTEM to administrator level
macOS Variant: Obfuscation and Flexible C2 Infrastructure
On macOS, the attack leverages an obfuscated AppleScript delivered through the same plugin mechanism. The script cycles through a predefined list of domains and uses Telegram as a fallback dead-drop resolver for C2 discovery. This design enables rapid rotation of infrastructure, rendering traditional domain-blocking strategies ineffective.
The final stage involves retrieving and executing a secondary payload via osascript. However, due to inactive C2 servers at the time of analysis, the full capabilities of this payload remain undetermined.
Attack Outcome and Strategic Implications
The observed intrusion was ultimately unsuccessful, as defensive measures detected and blocked the attack before objectives were achieved. Nevertheless, REF6598 highlights a significant evolution in threat actor methodology.
By exploiting trusted applications and relying on user-driven configuration changes, adversaries effectively bypass conventional security controls. This approach underscores a growing trend: the weaponization of legitimate software features as covert execution channels, emphasizing the need for heightened user awareness and behavioral monitoring in cybersecurity defenses.
