The post Obsidian Plugin Scam Targets Crypto Users with Malware appeared on BitcoinEthereumNews.com.

The malware is known as PHANTOMPULSE, and it uses blockchain-based infrastructure for resilient command and control. In a separate incident, Apple removed a fake Ledger Live app from its App Store after more than 50 users were scammed out of approximately $9.5 million. The app used a bait-and-switch tactic to trick users into revealing seed phrases. New Crypto Scam Uses Obsidian Crypto users are being urged to be very cautious after researchers uncovered a sophisticated new social engineering campaign that uses the popular note taking app Obsidian to deploy malware.  According to a recent report by Elastic Security Labs, attackers are targeting people in the cryptocurrency and financial sectors through carefully orchestrated interactions on professional and messaging platforms. Execution chain diagram (Source: Elastic Security Labs) The campaign begins with scammers reaching out to potential victims on LinkedIn. They pose as representatives of a venture capital firm. These conversations are designed to look legitimate and often revolve around financial services, particularly cryptocurrency liquidity solutions. Once a level of trust is established, targets are directed to continue discussions on Telegram, where the attackers introduce the next phase of the scheme. Victims are then instructed to download and use Obsidian, which the attackers claim is part of their company’s internal system for accessing shared data. They are provided with login credentials to connect to a cloud hosted vault controlled by the attackers.  This vault serves as the primary entry point for the attack. When the victim opens the vault in Obsidian, they are prompted to enable community plugin synchronization. This feature then allows third party plugins to be installed and run in the app. Obsidian menu to open a remote vault (Source: Elastic Security Labs) By enabling this feature, users unknowingly activate malicious plugins that execute code in the background. They deploy a…

---

Filed under: News - @ April 15, 2026 10:33 am