Date: 04/15/2026
Severity: High
Summary
A targeted social engineering campaign tracked as REF6598 abuses the Obsidian note-taking app to gain initial access, targeting individuals in the financial and cryptocurrency sectors via LinkedIn and Telegram. Victims are tricked into opening a shared vault with malicious plugins that silently execute code, leading to a multi-stage, fileless attack chain. The infection deploys PHANTOMPULSE, an AI-assisted RAT with advanced capabilities such as in-memory execution, process injection, and blockchain-based C2 communication, demonstrating a sophisticated cross-platform attack leveraging trusted tools and social engineering.
Indicators of Compromise (IOC) List
Domains/Urls | panel.fefea22134.net 0x666.info t.me/ax03bot thoroughly-publisher-troy-clara.trycloudflare.com |
IP Address | 195.3.222.251 |
Hash | 70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980
33dacf9f854f636216e5062ca252df8e5bed652efd78b86512f5b868b11ee70f
|
Crypto Wallet | 0xc117688c530b660e15085bF3A2B664117d8672aA
0x38796B8479fDAE0A72e5E7e326c87a637D0Cbc0E
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "panel.fefea22134.net" or url like "panel.fefea22134.net" or siteurl like "panel.fefea22134.net" or domainname like "thoroughly-publisher-troy-clara.trycloudflare.com" or url like "thoroughly-publisher-troy-clara.trycloudflare.com" or siteurl like "thoroughly-publisher-troy-clara.trycloudflare.com" or domainname like "0x666.info" or url like "0x666.info" or siteurl like "0x666.info" or domainname like "t.me/ax03bot" or siteurl like "t.me/ax03bot" or url like "t.me/ax03bot" |
Detection Query 2 : | dstipaddress IN ("195.3.222.251") or srcipaddress IN ("195.3.222.251") |
Detection Query 3 : | sha256hash IN ("70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980","33dacf9f854f636216e5062ca252df8e5bed652efd78b86512f5b868b11ee70f")
|
Reference:
https://www.elastic.co/security-labs/phantom-in-the-vault#stage-1-1