A new malware campaign targeting crypto users has deployed a remote access trojan controlled عبر blockchain infrastructure, highlighting a shift in attacker tactics. The method combines social engineering with decentralized command systems, complicating detection and response.
Elastic Security Labs reported Tuesday that attackers initiate contact through LinkedIn, posing as venture capital professionals. Victims are then moved to Telegram, where conversations evolve into discussions about crypto liquidity solutions. Targets are eventually invited to access a shared Obsidian vault, where enabling community plugins triggers the infection.
Can Blockchain-Based Malware Evade Traditional Defenses?
The attack installs a previously undocumented trojan known as PHANTOMPULSE, granting full remote control over infected devices. Unlike conventional malware, it relies on blockchain transactions across multiple networks to receive instructions, eliminating dependence on centralized command-and-control servers. This structure allows attackers to maintain persistent access even if parts of the infrastructure are disrupted.
Wallet-related exploits remain a major risk vector across the industry. Chainalysis estimates that $713 million was lost to wallet compromises in 2025, underscoring the financial impact of endpoint security failures. Compared to earlier phishing attacks, this campaign introduces a more durable control layer by embedding communication channels directly into public blockchain data.
“Because blockchain transactions are immutable and publicly accessible, the malware can always locate its C2 without relying on centralized infrastructure,” Elastic said in its report.
The firm added that using multiple blockchains increases resilience, allowing operators to rotate infrastructure without breaking connectivity to infected systems.
The campaign also exploits legitimate software behavior, using Obsidian’s plugin synchronization feature to bypass traditional security controls. This approach reduces reliance on exploit kits and instead targets user trust in productivity tools commonly used by developers and crypto professionals.
Security firms are now recommending stricter application-level controls, particularly around third-party plugins in enterprise environments. The next catalyst will be whether endpoint protection vendors adapt detection models to account for blockchain-based command channels embedded within otherwise legitimate network activity.
