Cybercriminals deploy Obsidian malware scam to target crypto users through LinkedIn and Telegram globally

Crypto users are once again in the crosshairs of cybercriminals, but this time the attack is not coming through the usual fake exchanges or phishing emails.

Security researchers at Elastic Security Labs have uncovered a fresh campaign that hides malware inside trusted productivity tools, turning routine software use into a security nightmare.

The target group is clear: investors, traders, and professionals in the crypto and finance space who often rely on collaboration tools for daily communication and project management.

How the Attack Starts With Social Engineering

The scam begins in a very human way—conversation.

Attackers approach victims on platforms like LinkedIn and later shift discussions to Telegram, posing as representatives of fake venture capital firms or financial service companies.

They talk about “crypto liquidity solutions” and investment opportunities, building trust slowly until the target believes they are dealing with a legitimate business partner.

Once trust is established, the victim is introduced to a seemingly normal collaboration setup built around a note-taking tool known as Obsidian.

The Trap Hidden Inside a Shared Vault

The attackers instruct victims to log into what appears to be a shared cloud workspace or “vault.”

In reality, this vault is controlled by the hackers.

Inside, victims are told to enable community plugins—features normally used in Obsidian to extend functionality. That’s where things go wrong.

Once enabled, malicious plugins quietly execute code in the background whenever the vault is opened, giving attackers an invisible entry point into the system.

Malware That Works Across Windows and Mac

The attack is not limited to one operating system.

Both Windows and macOS users are affected. Security researchers identified a previously unknown remote access trojan, which they named “PHANTOMPULSE.”

This malware is designed to blend in, run silently, and give attackers full control over infected devices without triggering obvious warnings.

Once installed, it allows cybercriminals to access files, monitor activity, and potentially extract sensitive crypto wallet data.

Blockchain Used as a Hidden Control Network

What makes this campaign unusual is how the attackers communicate with infected machines.

Suggested Readings (News continues below)

Australian police investigate Katy Perry sexual assault allegations involving Ruby Rose in Melbourne nightclub case across entertainment industry spotlight

Donald Trump claims war in Middle East nears end while United States tightens Strait of Hormuz blockade in Iran

Leeds fans storm Old Trafford rivalry clash as Manchester United suffer shock defeat in dramatic Premier League night in Manchester

David Warner faces court over drink driving charge as Sydney Thunder captaincy in Sydney cricket crisis sparks national outrage

Instead of traditional servers, PHANTOMPULSE uses blockchain networks to receive instructions.

By embedding command signals in blockchain transactions, attackers avoid relying on centralized infrastructure that can be shut down or blocked.

Even if one network is disrupted, others can still deliver commands.

This method makes detection and takedown significantly harder than standard malware operations.

Why Crypto Users Are Prime Targets

Crypto holders remain one of the most targeted groups online because transactions are irreversible.

Once funds are stolen, recovery is almost impossible.

Reports from industry trackers such as Chainalysis show that hundreds of millions of dollars are lost each year through wallet compromises and social engineering attacks.

This latest campaign shows that attackers are evolving beyond simple scams into highly structured operations using legitimate tools as cover.

The Bigger Picture Behind the Obsidian Exploit

The core trick in this attack is not technical complexity alone—it is trust.

By abusing the normal plugin ecosystem of Obsidian, attackers bypass traditional security defenses.

Instead of forcing victims to download suspicious files, they rely on features the software already supports, making the malicious activity harder to detect.

Security experts warn that this reflects a broader trend where productivity tools are being quietly turned into attack platforms.

Impact and Consequences

This development raises serious concerns for both individual crypto users and companies working in finance and blockchain sectors.

For individuals, the risk is direct financial loss, identity exposure, and compromised devices.

For organizations, it highlights how one compromised employee could potentially expose entire internal systems.

It also signals a shift in cybercrime tactics: instead of breaking systems, attackers are now blending into them.

What’s Next?

Cybersecurity teams are expected to tighten controls around third-party plugins and collaboration tools.

Companies may begin restricting or whitelisting extensions in tools like Obsidian to reduce exposure.

There is also likely to be increased scrutiny of social engineering tactics on LinkedIn and Telegram, especially those targeting financial professionals.

In the longer term, security researchers expect more malware campaigns to use decentralized systems like blockchain for command-and-control operations.

Summary

A newly discovered scam campaign is targeting crypto users by weaponizing trust in popular productivity software.

Using social engineering, attackers trick victims into enabling malicious plugins in Obsidian, leading to remote device compromise through a stealthy malware strain called PHANTOMPULSE.

The attack demonstrates how modern cyber threats are evolving beyond traditional hacking into sophisticated manipulation of everyday tools and workflows.

Bulleted Takeaways

• Crypto users are being targeted through a new social engineering malware campaign
• Attackers pose as VC firms on LinkedIn and move conversations to Telegram
• Victims are tricked into using Obsidian shared vaults with malicious plugins
• Malware named PHANTOMPULSE enables full remote device control
• The attack works on both Windows and macOS systems
• Blockchain networks are used for hidden command-and-control communication
• Crypto losses remain high due to irreversible transactions, per Chainalysis data
• Experts warn productivity tools are becoming new cyberattack entry points