Obsidian Notes App Exploited in Crypto Wallet Heist Scheme

Security researchers have identified a sophisticated attack campaign weaponizing the popular note-taking app Obsidian to deploy malware against cryptocurrency and finance professionals. The scheme exploits legitimate community plugins to execute malicious code without triggering traditional security defenses.

Elastic Security Labs published findings on April 15 detailing how attackers pose as venture capital representatives on LinkedIn before moving conversations to Telegram. The bait? Discussions about cryptocurrency liquidity solutions that eventually lead victims to install Obsidian and connect to attacker-controlled cloud vaults.

How the Attack Works

The attack chain begins when victims enable community plugin synchronization on a shared vault—standard functionality that Obsidian users routinely activate. A trojanized Shell Commands plugin then executes attacker-defined code the moment someone opens the vault.

“This vault is the initial access vector,” Elastic researchers wrote. “Once opened in Obsidian, the target is instructed to enable community plugins sync. After that, the trojanized plugins silently execute the attack chain.”

Both Windows and macOS systems are vulnerable. The payload delivers a previously undocumented remote access trojan that Elastic dubbed PHANTOMPULSE, which grants attackers full device control including keylogging, screenshot capture, and privilege escalation.

Blockchain-Based Command Infrastructure

PHANTOMPULSE employs an unusual command-and-control mechanism that reads instructions from on-chain transaction data across three separate blockchain networks. Because blockchain transactions are immutable and publicly accessible, the malware can always locate its controllers without relying on servers that defenders could block.

“This technique provides the operator with an infrastructure-agnostic rotation capability,” the report noted. The triple-chain redundancy ensures continued operation even if one network’s explorer becomes unavailable.

Why Crypto Users Should Care

Individual wallet compromises cost victims $713 million in 2025 alone, according to Chainalysis data. Unlike traditional bank fraud, blockchain transactions cannot be reversed—once funds leave a compromised wallet, they’re gone.

The Obsidian attack bypasses conventional security tools entirely by abusing intended application functionality rather than exploiting software vulnerabilities. Antivirus software won’t flag a legitimate productivity app executing its own plugin system.

Elastic successfully blocked the attacks it observed but warned that creative initial access vectors like this one represent an evolving threat. The firm recommends that crypto and finance organizations enforce strict app-level plugin policies and treat productivity tools as potential attack surfaces.

For individual users, the takeaway is straightforward: verify any request to install software or enable plugins, especially when the ask comes through LinkedIn or Telegram from someone you’ve never met in person. That “VC partner” offering liquidity solutions might be running something far more sophisticated than a typical phishing operation.

Image source: Shutterstock