Threat IntelligenceApr 13, 2026
Key takeaways: - Threat actors posed as a VC firm on LinkedIn and Telegram, luring targets into o...
Threat actors impersonate VC firm via LinkedIn/Telegram to deliver malware via weaponized Obsidian vault.
Summary
Threat actors posing as a venture capital firm on LinkedIn and Telegram are luring targets into opening a weaponized Obsidian vault that executes malicious payloads. The attack exploits Obsidian's Shell Commands plugin to run code when the vault is opened, requiring no underlying vulnerability. The campaign, tracked as PHANTOMPULSE, combines social engineering with legitimate application functionality to compromise targets.
Indicators of Compromise
- malware — PHANTOMPULSE
Entities
PHANTOMPULSE (campaign)Obsidian (product)Shell Commands plugin (technology)