AI-Generated RAT “PHANTOMPULSE” Targets Crypto Sector via Social Engineering

In a sophisticated intersection of social engineering and technical ingenuity, security researchers have uncovered a novel campaign that turns a popular productivity tool into a silent execution engine. Elastic Security Labs recently detailed the activity of REF6598, a cross-platform campaign that leverages the “Obsidian” note-taking application to deploy a previously undocumented Remote Access Trojan (RAT) named PHANTOMPULSE.

The attack begins far away from code, originating on professional networks like LinkedIn. “The threat actors operate under the guise of a venture capital firm, initiating contact with targets through LinkedIn”. To build credibility, the conversation often moves to Telegram groups where multiple “partners” participate in discussions focused on cryptocurrency liquidity solutions.

Once trust is established, the target is invited to access a shared business dashboard. “The target is asked to use Obsidian, presented as the firm’s ‘management database’, for accessing a shared dashboard”. The victim is provided with credentials to a cloud-hosted vault and instructed to enable “community plugin sync” to see the data—a step that effectively opens the gate for the malware.

The campaign “abuses Obsidian’s legitimate community plugin ecosystem, specifically the Shell Commands and Hider plugins, to silently execute code when a victim opens a shared cloud vault”. Once the victim enables the sync, these plugins automatically pull down malicious configurations.

On Windows systems, the attack delivers PHANTOMPULL, a custom in-memory loader that reflectively loads the final payload to avoid touching the disk. This culminates in the deployment of PHANTOMPULSE, which researchers describe as “a novel, AI-assisted Windows RAT featuring blockchain-based C2 resolution”.

The malware itself bears the hallmarks of modern development: “The binary exhibits strong indicators of AI-assisted development,” with debug strings that are “abnormally verbose, self-documenting, and follow a structured step-numbering pattern”.

One of the most innovative features of PHANTOMPULSE is its reliance on the Ethereum blockchain for Command and Control (C2) instructions. “PHANTOMPULSE implements a decentralized C2 resolution mechanism using public blockchain infrastructure as a dead drop,” the report explains.

By querying transaction data from specific wallet addresses on Ethereum, Base, and Optimism, the malware can identify its current C2 server. This makes the infrastructure incredibly resilient, as “publishing a new C2 endpoint requires only submitting a transaction with crafted calldata to the wallet”.

Despite its technical complexity, researchers found a significant flaw in the malware’s design. Because the RAT parses any transaction involving the wallet without verifying the sender, it is vulnerable to hijacking.

“This means any third party who knows the wallet address and the XOR key (both recoverable from the binary) can craft a transaction to the wallet containing a competing input payload”. Since the malware always prioritizes the most recent transaction, a responder could effectively redirect all infected hosts to a “sinkhole” server, neutralizing the attacker’s control.

This campaign demonstrates that the move to remote work and community-driven ecosystems has created new avenues for classic social engineering. “While this attack requires social engineering to cross the community plugin sync boundary, the technique remains notable: it abuses a legitimate application feature as a persistence and command execution channel”.

For organizations in the financial and cryptocurrency sectors, Elastic Security Labs recommends focusing on parent-process-based detection, as the signed and trusted Obsidian binary is used to hand off the final malicious execution. Always be wary of “business opportunities” that require the use of specific third-party plugins or shared digital vaults from unverified sources.