Find notable cyber news and cases, enriched with sources, timelines, and signals.

REF6598 Obsidian social-engineering campaign targeting finance and crypto users

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The REF6598 operation is using LinkedIn, Telegram, and Obsidian to deliver PHANTOMPULSE, creating a targeted intrusion path into financial and cryptocurrency users across Windows and macOS. Targets are approached as if by a venture capital firm, then moved into a Telegram group that adds false legitimacy and steers them toward a shared cloud vault. Once victims enable Installed community plugins, the malicious vault configuration can execute code through Shell Commands and hide interface elements with Hider. The campaign matters because it turns a trusted note-taking app into an access channel for malware delivery and remote control without relying on a traditional software exploit.

Related Happenings

Trojanized Pyrogram forks with hidden Telegram backdoor

Malware Activity
H score14 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: Trojanized **Pyrogram** forks on **PyPI** now ship a hidden backdoor that gives attackers remote command execution and file access on compromised **Telegram bot servers**. The mal...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

UNC1069 open-source maintainer social-engineering campaign

Campaign
H score38 First: 04.04.2026 23:30 Last: 04.04.2026 23:30 Sources 1

About this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...

Latest development: 06.04.2026 23:55

Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

Storm infostealer server-side decryption activity

Malware Activity
H score18 First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Timeline

  1. 16.04.2026 14:02 2 articles · 2mo ago

    REF6598 Obsidian social engineering campaign disclosed

    Initial Disclosure

    Elastic Security Labs disclosed REF6598, a social engineering campaign targeting individuals in the financial and cryptocurrency sectors through LinkedIn and Telegram. The operation steers victims to a cloud-hosted Obsidian vault, where enabling Installed community plugins lets malicious configuration trigger the Shell Commands and Hider plugins; on Windows it drops PHANTOMPULL and loads PHANTOMPULSE in memory, while on macOS it uses an obfuscated AppleScript dropper with Telegram-based fallback C2 resolution. The intrusion was detected and blocked before the operators achieved their goals.

    Show sources