"The threat actors abuse Obsidian's legitimate community plugin ecosystem, specifically the Shell Commands and Hider plugins, to silently execute code when a victim opens a shared cloud vault."
"The attacker must convince the target to manually toggle the community plugin sync on their device so that the malicious vault configuration can trigger the execution of commands through the Shell Commands plugin."
A novel social engineering campaign, REF6598, uses Obsidian to distribute the PHANTOMPULSE trojan. Attackers target individuals in financial and cryptocurrency sectors via LinkedIn and Telegram. They pose as a venture capital firm and create a Telegram group to enhance credibility. Targets are instructed to access a shared dashboard through Obsidian, which triggers the infection sequence. By enabling community plugins, malicious code executes, leveraging Shell Commands and Hider plugins to execute commands and hide user activity.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]