REF6598 & PHANTOMPULSE: How Hackers Are Weaponizing Obsidian's Plugin Ecosystem to Breach Financial Sector Employees

Elastic Security Labs has disclosed a sophisticated targeted campaign — tracked as REF6598 — that weaponizes Obsidian's community plugin ecosystem to deliver a previously undocumented Windows remote access trojan called PHANTOMPULSE. What makes this campaign particularly dangerous is its method: instead of exploiting a software vulnerability, attackers abuse Obsidian's legitimate, intended functionality to execute arbitrary code on victims' machines. Financial sector employees in Saudi Arabia should treat this as a Tier-1 threat alert.

The Lure: A Fake Venture Capital Firm on LinkedIn and Telegram

REF6598 operators pose as representatives of a venture capital firm, approaching targets on LinkedIn and Telegram with investment-related pretexts. Once initial trust is established, the attacker hands the victim Obsidian account credentials and instructs them to log in, enable community plugin synchronization, and connect to a pre-staged vault. This is the entire attack setup — no phishing link, no malicious attachment, no suspicious executable. The victim is simply onboarding to what appears to be a shared workspace.

Once the victim connects to the vault, the attacker's pre-configured Shell Commands plugin and its data.json configuration file sync automatically to the victim's machine. On the next configured trigger — which could be a keypress, a timer, or vault open — the payload executes without any further user interaction. The entire chain runs inside a legitimate, signed application that most enterprise endpoint tools would never flag.

Technical Chain: PHANTOMPULL to PHANTOMPULSE to Blockchain C2

On Windows, the Shell Commands plugin invokes a PowerShell script that drops an intermediate loader called PHANTOMPULL. PHANTOMPULL decrypts and launches PHANTOMPULSE entirely in memory, leaving no artifacts on disk that signature-based AV can scan. PHANTOMPULSE is a full-featured RAT providing remote command execution, file exfiltration, screenshot capture, and keylogging capabilities.

The most technically sophisticated element of the campaign is its command-and-control infrastructure. Rather than hardcoding C2 server addresses — which defenders can block — PHANTOMPULSE uses Ethereum blockchain transaction data for C2 discovery. The malware reads specific Ethereum wallet transactions to retrieve the current C2 address, making infrastructure blocking nearly impossible through traditional IP or domain blocklisting. This technique, previously seen in NKAbuse and a small number of advanced persistent threats, signals a matured, well-resourced threat actor.

The campaign is cross-platform: macOS victims receive a parallel execution chain adapted to the operating system's scripting environment, confirming the attackers have invested significantly in capability development.

Why Saudi Financial Institutions Are a High-Value Target

Financial sector employees — analysts, investment managers, treasury officers, and compliance leads — are precisely the profiles REF6598 selects on LinkedIn. These individuals routinely install productivity tools including note-taking and knowledge management applications, often without formal IT approval processes. SAMA CSCC Domain 3 (Cybersecurity Operations) and Domain 5 (Third-Party and Cloud Security) both require institutions to maintain approved software inventories and monitor for unauthorized application installations, yet Obsidian and similar tools frequently slip through as "personal productivity" software.

The blockchain-based C2 mechanism directly undermines NCA ECC Control 2-8-2, which mandates network-level blocking of known malicious communications. If the C2 address is encoded in an Ethereum transaction rather than a DNS record or hardcoded IP, perimeter firewalls and DNS sinkholes — which most Saudi financial institutions rely on as a primary detection layer — will not trigger any alert. The malware's in-memory execution also bypasses the file integrity monitoring controls required under SAMA CSCC Domain 2.

Detection: What Your SOC Should Be Looking For

Traditional indicators of compromise are largely absent in this campaign, which makes behavioral detection critical. Your security operations team should prioritize the following detection signals:

1. Obsidian spawning PowerShell or cmd.exe: Obsidian (Obsidian.exe) should never spawn shell processes. Any process tree where Obsidian is the parent of powershell.exe, wscript.exe, or cmd.exe is a high-confidence indicator of Shell Commands plugin abuse. Write this as a Sigma rule in your SIEM immediately.
2. In-memory .NET or PE reflective loading: PHANTOMPULL loads PHANTOMPULSE reflectively in memory. EDR solutions with memory scanning (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) should alert on AmsiScanBuffer bypass attempts and reflective PE injection patterns originating from Obsidian's process.
3. Outbound HTTPS to Ethereum RPC endpoints: Monitor for outbound connections from workstations to public Ethereum JSON-RPC endpoints such as infura.io, alchemy.com, or ankr.com. Financial sector employees have no legitimate business reason to query blockchain nodes from corporate devices. This is a near-certain indicator of blockchain-based malware C2 activity.
4. Obsidian vault sync from unknown accounts: Audit which employees are using Obsidian Sync and which vault accounts are connected to corporate devices. Any vault linked to an external or unknown account should trigger an immediate investigation.
5. Lateral movement after initial compromise: PHANTOMPULSE provides full remote access. Watch for lateral movement patterns — SMB enumeration, LSASS memory access, PsExec usage — originating from machines where Obsidian is installed.

Immediate Remediation Steps

1. Audit and restrict unapproved application installs: Issue an immediate inventory query — via SCCM, Intune, or your endpoint management platform — for Obsidian installations across all corporate devices. Where Obsidian is not business-required, remove it. Where it is required, disable community plugin sync through application control policy.
2. Block Ethereum RPC endpoints at the perimeter: Add firewall deny rules for known Ethereum JSON-RPC endpoints and blockchain API providers. This blocks the C2 discovery mechanism even if the initial loader executes.
3. Deploy Sigma detection rules: SOCPrime has published a detection rule for this campaign (see their active threats tracker). Deploy to your SIEM within 24 hours. Elastic's original research also includes EQL detection queries for Elastic SIEM users.
4. Conduct targeted user awareness for high-value employees: Brief investment, treasury, and compliance teams specifically. The LinkedIn/Telegram lure exploits professional trust — technical controls alone are insufficient. Employees should verify any request to install or connect shared software through official IT channels, regardless of how credible the requester appears.
5. Review PDPL obligations for any identified compromise: If PHANTOMPULSE executed on any device with access to customer or employee personal data, Saudi Arabia's Personal Data Protection Law (PDPL) may impose notification obligations within 72 hours of discovery. Engage your Data Protection Officer immediately.

Conclusion

REF6598 represents a meaningful evolution in targeted attacks against the financial sector. By weaponizing a legitimate, well-regarded productivity application and routing C2 communications through public blockchain infrastructure, the threat actor has built an attack chain that evades the majority of conventional security controls. The absence of a CVE number does not mean the absence of a vulnerability — the vulnerability here is the gap between "approved software" policies and actual employee device reality. Saudi financial institutions subject to SAMA CSCC and NCA ECC oversight should treat this as an active threat requiring immediate detection and policy action, not a future consideration.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and find out whether your SOC detection capabilities would have caught PHANTOMPULSE before it moved laterally.