The Obsidian RAT: How a Beloved Productivity App Became a Malware Delivery Vector — and What It Means for Every Plugin Ecosystem You Trust

One shared vault, two legitimate plugins, and full remote access to your machine.

You Got a LinkedIn Message From a VC Firm. Then Things Got Interesting.

Here is the scenario. A professional-looking LinkedIn account reaches out — they represent a venture capital firm interested in crypto liquidity solutions. The conversation moves to Telegram, where a group chat with several apparent 'partners' is already active, discussing financial services topics with convincing detail. The group feels real. The opportunity feels real. Then they ask you to use Obsidian — a note-taking app beloved by developers, researchers, and knowledge workers — to access a shared dashboard. They hand you login credentials for a cloud-hosted vault. That vault is the entire attack. This is REF6598, a campaign documented by Elastic Security Labs targeting individuals in the financial and cryptocurrency sectors. It is not a blunt phishing link. It is an elaborate, multi-stage social engineering operation designed specifically to exploit the trust that technically sophisticated users place in the tools they use every day. The fact that you recognised Obsidian — and trusted it — was part of the trap.

What Actually Happened Inside That Vault: The Technical Breakdown

When a victim opens the attacker-controlled cloud vault in Obsidian, they are instructed to enable 'community plugin sync' — a setting that is turned off by default and cannot be toggled remotely. That one manual action is the only thing standing between the target and full system compromise. Once enabled, two legitimate Obsidian plugins sync silently into the victim's environment. The first is the Shell Commands plugin, which is configured to execute arbitrary, platform-specific system commands on events like vault open or app startup. The second is the Hider plugin, which suppresses Obsidian UI elements — status bars, scrollbars, tooltips — reducing the visual signals that anything unusual is occurring. The malicious configuration lives entirely inside JSON files inside the vault's `.obsidian` directory, not in a suspicious executable. This is why traditional antivirus tools are largely blind to it. On Windows, Shell Commands triggers Base64-encoded PowerShell that downloads a second-stage script from an external server. That script fetches a loader binary called `syncobs.exe`, dubbed PHANTOMPULL by Elastic. PHANTOMPULL is a 64-bit Windows loader that decrypts an AES-256-CBC encrypted payload from its own resources and loads it directly into memory — never writing the final payload to disk — before retrieving the actual RAT, PHANTOMPULSE, over HTTPS. Elastic researchers first detected the attack when telemetry flagged suspicious PowerShell processes spawned directly from the legitimate Obsidian binary.

What a RAT Gives an Attacker That Other Malware Doesn't

Ransomware locks your files and demands payment. A stealer grabs your passwords and leaves. A Remote Access Trojan — a RAT — does something more persistent and more dangerous: it turns your machine into a remote workstation that the attacker can operate at will, on their schedule, without your knowledge. PHANTOMPULSE is described by Elastic as being 'designed for stealth, resilience, and comprehensive remote access.' It gives attackers the ability to monitor activity, access sensitive data, and compromise cryptocurrency wallets. What makes it especially difficult to shut down is its command-and-control infrastructure. Instead of routing instructions through a central server that can be blocked or taken offline, PHANTOMPULSE retrieves commands through on-chain transaction data linked to specific wallets across at least three separate blockchain networks. Because blockchain transactions are immutable and publicly accessible, the malware can always locate its command server — the attacker simply needs to post new instructions to a wallet address. If one blockchain's explorer gets blocked, the other two still work. The PHANTOMPULSE panel itself — a polished web interface called 'Phantom Panel' — runs behind Cloudflare, adding another layer of infrastructure resilience. For a finance or crypto professional, the risk is not just credential theft. It is sustained, invisible access to the machine where wallets are managed, deals are structured, and private communications happen.

This Is Not an Obsidian Problem. It Is a Plugin Ecosystem Problem.

The non-obvious insight from REF6598 is that Obsidian is incidental. The structural vulnerability — a community plugin repository with no mandatory code signing, no centralised security review, and a user base that trusts it by default — exists across most of the plugin ecosystems that developers and knowledge workers rely on daily. Consider the parallel. The VS Code Marketplace hosts tens of thousands of extensions; as one enterprise security guide notes, 'security teams block VS Code deployment when they cannot validate 60,000+ extensions in the community marketplace.' Chrome Extensions operate under a review model that has historically allowed malicious extensions to persist for extended periods. Figma's community plugin ecosystem and Raycast's extension library share the same foundational trust assumption: that community contributors are benign, that popular means safe, and that installing from a named repository is equivalent to installing from a vetted source. The Obsidian attack works because the Shell Commands plugin is legitimate software doing exactly what it was designed to do. There is no malicious code in the plugin itself — the weaponisation happens entirely in the JSON configuration that ships inside the attacker-controlled vault. Execution is handed off by a signed, trusted Electron application, which is precisely why parent-process-based detection — watching what Obsidian spawns — is the layer that actually caught this attack in Elastic's telemetry. Traditional file-scanning defenses see a clean installation.

Why 'Only Install From Known Authors' Is Insufficient — And What Actually Helps

The standard advice after any plugin-based attack is to install only from trusted authors. REF6598 breaks that mental model entirely. The Shell Commands and Hider plugins used in this attack are genuine community tools with real authors and real user bases. The attack did not require a fake plugin. It required a fake vault configuration. More useful defences operate at a different layer. First, treat community plugin sync as a capability that requires explicit justification — the setting is off by default for a reason, and any external party instructing you to enable it should trigger immediate scepticism. No legitimate employer onboards staff by asking them to toggle security boundaries in a note-taking app. Second, audit what your installed plugins actually do by checking the `.obsidian` folder contents — specifically the `shell-commands` configuration — for commands you did not write. The attack's artefacts live in JSON files, not executables, so the audit is readable without specialist tools. Third, apply the same scepticism to VS Code extensions, browser extensions, and any plugin ecosystem where installation is a one-click community action. Check when the extension was published, how many installs it has, whether the repository has genuine activity, and whether it requests permissions that exceed its stated function. Finally, the REF6598 campaign specifically targets people in finance and cryptocurrency — the exact profiles whose machines carry the highest value. In 2025, $713 million was stolen via compromises of individual crypto wallets, according to Chainalysis. The sophistication of the social engineering — a fake VC firm, a staged Telegram group, a plausible business context — reflects how much attackers are willing to invest when the target is the right one.

What to Watch Next

REF6598 is almost certainly not a one-off technique. Elastic notes that attackers 'continue to find creative initial access vectors,' and the vault-as-delivery-mechanism approach is replicable across any application that supports shared configuration sync — which increasingly includes developer tools, design tools, and AI-assisted coding environments. Watch for security researchers to begin stress-testing shared workspace features in tools like Notion, Roam Research, and AI coding environments that support extension or plugin ecosystems. Watch also for whether Obsidian updates its plugin sync security model in response to REF6598 — specifically whether any friction is added to the community plugin sync toggle to make it harder to enable via social engineering. The broader question the security community will be working through: can plugin ecosystems retain their openness and flexibility while introducing meaningful verification at the configuration layer, not just the code layer? That is the architectural problem REF6598 has put on the table.