Tuesday, May 12, 2026

The Useful Daily

AI news that actually helps your business

Home🔧 tools
That Obsidian Note-Taking App You Love? Hackers Are Now Using It to Break Into Businesses.

That Obsidian Note-Taking App You Love? Hackers Are Now Using It to Break Into Businesses.

Security researchers have documented a live attack campaign that turns the popular Obsidian note-taking app into a delivery vehicle for a powerful remote access trojan. If you or anyone on your team uses Obsidian, here's what happened and what to do right now.

By Danny Kowalski · May 11, 2026 · 4 min read

If you use Obsidian to take business notes, manage client information, or organize your work - you need to read this before the end of the day.

Security researchers at NetSecOps published a detailed report this weekend describing an active attack campaign called REF6598. The goal: trick Obsidian users into installing a remote access trojan - a piece of malware that hands an attacker full control of your computer.

The malware is named PHANTOMPULSE, and it is not your typical phishing email. It is patient, sophisticated, and specifically engineered to look completely legitimate right up until it isn't.

How It Works

The attack starts on LinkedIn or Telegram. Someone - posing as a venture capitalist, potential client, or collaborator - builds a relationship with the target over days or weeks. Eventually, they invite the target to collaborate on a shared Obsidian vault.

Obsidian vaults are like shared folders for notes. Collaborating on them is a legitimate, normal thing that Obsidian users do. That's the point.

Once you open the shared vault, you see what looks like a normal workspace. The attacker's final move: they ask you to enable "community plugins" to get the collaboration working.

Here's where it turns. Hidden inside the vault are malicious versions of two legitimate Obsidian plugins - Shell Commands and Hider. When you click that "enable plugins" button, you're not enabling helpful features. You're executing code that downloads and installs PHANTOMPULSE directly into your computer's memory.

From that point on, the attacker can:

  • Log every keystroke you type (passwords, client data, messages)
  • Take screenshots of your screen at any time
  • Copy files from your computer
  • Run any command they want on your machine

On Windows, it uses PowerShell. On Mac, it uses AppleScript. It works on both.

The Part That Makes It Hard to Stop

Most malware relies on a central server for instructions. Security teams and law enforcement can take that server down, and the malware goes silent.

PHANTOMPULSE uses the Ethereum blockchain instead. The attacker embeds the location of their command server inside a cryptocurrency transaction. To find out where to phone home, the malware just checks the blockchain - which no one can shut down or block.

That's a level of engineering sophistication you used to only see from nation-state hackers. Now it's showing up in campaigns targeting small businesses in finance and crypto.

Who Should Be Worried

The current campaign is focused on people in finance and cryptocurrency sectors. But there's nothing stopping this technique from being adapted for other industries.

If you are a small business owner who:

  • Uses Obsidian for any work purposes
  • Has employees who use Obsidian
  • Has ever accepted a collaboration invite from someone you met online

...you should take five minutes right now to run through the checklist below.

What to Do Right Now

If you haven't opened any suspicious shared vault: Good. Going forward, only accept shared vault invitations from people you know and trust in real life. Treat a request to enable community plugins from a shared vault the same way you'd treat someone asking for your password.

Check which plugins are enabled: Open Obsidian, go to Settings, then Community Plugins. If you see plugins you don't recognize - especially "Shell Commands" or "Hider" - disable them immediately and do not delete them yet. Screenshot them first and contact a security professional.

If you did open a suspicious vault and enable plugins: Assume the device is compromised. Change all passwords from a different device. Contact your IT person or a cybersecurity professional. Do not use that machine for any business accounts until it has been fully cleaned.

For business owners with teams: Send a brief note to anyone on your team who uses Obsidian. Warn them not to accept shared vault invitations from unknown contacts, and not to enable plugins from shared vaults regardless of who is asking.

The Bigger Lesson

This attack works because it exploits trust at every step. The fake VC is helpful. The shared vault looks professional. The plugin prompt seems technical and routine.

Social engineering attacks don't beat your software. They beat your judgment - by making a bad action look indistinguishable from a good one.

The rule that saves you here is not a technical setting. It's a habit: never enable plugins, extensions, or add-ons at someone else's request, in a workspace you didn't create, from someone you haven't met in person.

That rule applies to Obsidian. It also applies to Chrome extensions, Slack apps, GitHub actions, and everything else that asks for permissions inside tools you already trust.

Danny Kowalski covers tools, technology, and digital security for small business owners at The Useful Daily. Source: NetSecOps REF6598 Research Report (May 10, 2026).

Danny Kowalski tests AI tools for The Useful Daily. He ran an HVAC business for 9 years, so he knows BS when he sees it.

Are you overpaying for AI tools?

Most small businesses waste $150+/month on tools they don't need. Find out in 2 minutes.

Take the Free AI Audit →

Liked this? There's more where that came from.

Every Sunday we send the week's best AI tips for your business. Free. No spam. Ever.

← Back to all stories