Obsidian Plugin Scam Targets Crypto Users with Malware

The malware is known as PHANTOMPULSE, and it uses blockchain-based infrastructure for resilient command and control. In a separate incident, Apple removed a fake Ledger Live app from its App Store after more than 50 users were scammed out of approximately $9.5 million. The app used a bait-and-switch tactic to trick users into revealing seed phrases.

New Crypto Scam Uses Obsidian

Crypto users are being urged to be very cautious after researchers uncovered a sophisticated new social engineering campaign that uses the popular note taking app Obsidian to deploy malware. 

According to a recent report by Elastic Security Labs, attackers are targeting people in the cryptocurrency and financial sectors through carefully orchestrated interactions on professional and messaging platforms.

Execution chain diagram (Source: Elastic Security Labs)

The campaign begins with scammers reaching out to potential victims on LinkedIn. They pose as representatives of a venture capital firm. These conversations are designed to look legitimate and often revolve around financial services, particularly cryptocurrency liquidity solutions. Once a level of trust is established, targets are directed to continue discussions on Telegram, where the attackers introduce the next phase of the scheme.

Victims are then instructed to download and use Obsidian, which the attackers claim is part of their company’s internal system for accessing shared data. They are provided with login credentials to connect to a cloud hosted vault controlled by the attackers. 

This vault serves as the primary entry point for the attack. When the victim opens the vault in Obsidian, they are prompted to enable community plugin synchronization. This feature then allows third party plugins to be installed and run in the app.

Obsidian menu to open a remote vault (Source: Elastic Security Labs)

By enabling this feature, users unknowingly activate malicious plugins that execute code in the background. They deploy a previously undocumented remote access trojan known as PHANTOMPULSE. Once installed, the malware gives attackers extensive control over the victim’s device. It allows them to monitor activity, access sensitive data, and compromise cryptocurrency wallets.

What makes this campaign especially concerning is its use of blockchain technology to maintain communication with infected devices. Instead of relying on traditional centralized servers, PHANTOMPULSE retrieves instructions through on-chain transaction data linked to specific wallets across multiple blockchain networks. This decentralized command and control approach ensures that the malware stays resilient and difficult to disrupt, even if parts of its infrastructure are taken offline.

Because Obsidian’s plugin ecosystem is designed to allow flexibility and customization, attackers are able to exploit this functionality without even triggering common security alerts.

Apple Removes Fake Ledger Wallet App

Other apps are also being taken advantage of by cyber criminals. Apple recently confirmed that it removed a malicious app that impersonated the popular Ledger Live crypto wallet.

This was done after a wave of scams that resulted in millions of dollars in losses for unsuspecting users. The fake app was distributed through the App Store, and managed to deceive more than 50 victims, who collectively lost approximately $9.5 million in digital assets.

The fraudulent application was designed to closely mimic the legitimate Ledger Live interface. It managed to trick users into believing they were interacting with the official wallet software. 

Reviews warning that the Ledger Live app is fake (Source: Archive.ph)

According to Apple, the developer behind the app operates under the name “SAS Software Company,” and has since been removed from the App Store. The company revealed that the attackers employed a bait and switch tactic. This means that they initially presented the app as legitimate before later modifying its content to resemble Ledger’s official platform. 

Once installed, the fake app prompted users to enter their seed phrases, which are critical private keys used to access cryptocurrency wallets. By obtaining this information, attackers were able to gain full control over victims’ funds and transfer assets without the possibility of reversal.

Blockchain investigator ZachXBT pointed out that a big portion of the stolen funds came from a small number of high value victims. One person reportedly lost more than $3 million in stablecoins, while others saw losses in assets like Bitcoin and Ethereum. Among the victims was American musician Garrett Dutton, who disclosed that he lost $420,000 worth of Bitcoin in the attack.

Apple explained that bait and switch scams are not new to its platform, and revealed that it removed or rejected more than 17,000 apps in 2024 for engaging in similar deceptive practices.