Obsidian app harnessed to deliver illicit Windows, macOS payloads

Attacks exploiting the cross-platform note-taking app Obsidian have been targeting individuals in the finance and cryptocurrency industries with malicious Windows and macOS payloads as part of the new REF6598 social engineering campaign, according to The Hacker News.

Threat actors purporting to be a venture capital firm have used Telegram to lure targets into using Obsidian to access a shared dashboard and activate 'Installed community plugins' sync, which triggers malicious code execution, a report from Elastic Security Labs showed. Execution of commands via the Shell Commands plugin on Windows systems invokes a PowerShell script deploying the PHANTOMPULL loader, which executes the novel AI-generated PHANTOMPULSE backdoor. On the other hand, macOS systems were discovered to have been injected with an obfuscated AppleScript dropper that runs a second-stage payload through osascript.

"By abusing Obsidian's community plugin ecosystem rather than exploiting a software vulnerability, the attackers bypass traditional security controls entirely, relying on the application's intended functionality to execute arbitrary code," said researchers.