Crypto Community Faces New Obsidian Plugin Scam
A fresh trick has emerged in the crypto world. Scammers are using a note‑taking app called Obsidian to hide malware inside what looks like helpful plugins. The goal is to steal control of victims’ computers.
How the Scheme Works
Social Media Infiltration
Attackers pose as venture capitalists on LinkedIn, then move the conversation to Telegram. They claim to offer crypto‑liquidity services, giving a believable business reason for the contact.Obsidian Setup
Scammers ask users to open a shared cloud vault in Obsidian, presenting it as their company’s dashboard. The victim receives a login and is prompted to enable community plugins.Malware Activation
Once the plugins are activated, hidden code runs silently. The malware—called “PHANTOMPULSE” by Elastic Security Labs—is a remote‑access trojan that works on both Windows and macOS. It stays hidden, keeps running, and lets the attacker control the device.
Sophisticated Command‑and‑Control
PHANTOMPULSE uses a clever command‑and‑control system that connects to at least three different blockchain networks. It scans a specific wallet’s transaction data for instructions, allowing it to operate even if one network is blocked. This makes the attack hard to shut down.
Lessons and Recommendations
Security researchers stopped the attacks but warned that this method shows how attackers can exploit legitimate tools. They urged crypto and finance firms to:
- Monitor which plugins are allowed in productivity apps.
- Enforce a strict policy to prevent similar scams.
Overall, the incident reminds everyone that tools meant for work can become weapons. Being cautious about who you talk to online and what software you install is essential, especially in the crypto space where losses cannot be reversed.
