Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT

**Executive Summary:** Elastic Security Labs documents REF6598, a targeted campaign that uses social engineering to trick finance and cryptocurrency professionals into enabling Obsidian community-plugin sync, causing trojanized Shell Commands and Hider plugins to execute a multi-stage cross-platform attack that delivers the PHANTOMPULL loader and the PHANTOMPULSE RAT (Windows) and an obfuscated AppleScript dropper (macOS); PHANTOMPULSE features in-memory reflective loading, advanced injection, and a blockchain-based C2 rotation mechanism, and the report includes indicators (hashes, IPs, domains, wallet) and detection/hunting guidance.