PHANTOMPULL
PHANTOMPULL is a custom Windows in-memory loader used in the REF6598 intrusion chain to deliver the PHANTOMPULSE remote access trojan. Elastic Security Labs reported that REF6598 targeted individuals in the financial and cryptocurrency sectors through social engineering on LinkedIn and Telegram, abusing Obsidian community plugins rather than a software vulnerability. On Windows, malicious Obsidian Shell Commands plugin activity invoked PowerShell to retrieve a staging script, which then downloaded a 64-bit executable commonly named syncobs.exe and identified by researchers as PHANTOMPULL.
PHANTOMPULL decrypts an AES-256-CBC-encrypted payload embedded in its own resources and launches it entirely in memory using reflective loading, without writing the final stage to disk. Reported implementation details include runtime API resolution using djb2 hashing, timer queue callback execution with a short delay, and anti-analysis features such as dead code blocks and a fake integrity-check routine. One report states that PHANTOMPULL used a hardcoded AES-256-CBC key of 6a85736b64761a8b2aaeadc1c0087e1897d16cc5a9d49c6a6ea1164233bad206 and IV A6FA4ADFC20E8E6B77E2DD631DC8FF18. The loader has been described as an in-memory PE loader and as the intermediate stage between the Obsidian-delivered PowerShell activity and the PHANTOMPULSE implant.
The malware is associated in reporting with the REF6598 activity cluster, which Elastic assessed as aligned with DPRK-linked cryptocurrency-focused tradecraft, including overlap with Lazarus, BlueNoroff, UNC5342/Contagious Interview, and APT38. High-confidence infrastructure and indicators mentioned in the reporting include staging server 195.3.222[.]251, the fallback/panel domain panel.fefea22134[.]net, and hashes attributed to the loader including 36bbb97b36f1d9748fdd7448deaa93b9b97d98b3fb44d87a3c848dad5ba91b34 and 70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980 for syncobs.exe. Its primary role is delivery: decrypting and loading PHANTOMPULSE in memory on compromised Windows systems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On Windows, the commands are used to invoke a PowerShell script to drop an intermediate loader codenamed PHANTOMPULL that decrypts and launches PHANTOMPULSE in memory.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe campaign, which we track as REF6598, targets individuals in the financial and cryptocurrency sectors through elaborate social engineering on LinkedIn and Telegram.
Execution
3 techniquesOn Windows, the commands are used to invoke a PowerShell script to drop an intermediate loader codenamed PHANTOMPULL that decrypts and launches PHANTOMPULSE in memory.
As soon as the vault is opened in the note-taking application, the target is asked to enable "Installed community plugins" sync, effectively causing malicious code to be executed.
The target is provided credentials to connect to a cloud-hosted vault controlled by the attacker. This vault is the initial access vector... Once opened in Obsidian, the target is instructed to enable community plugins sync.
Privilege Escalation
1 techniqueStealth
8 techniquesOn Windows, the plugin fires two Invoke-Expression calls with Base64-encoded strings... On macOS, the attack uses an obfuscated AppleScript dropper... Additionally, the loader includes dead code blocks and a fake integrity check function that serve no operational purpose beyond wasting an analyst’s time during reverse engineering.
This loader includes runtime API resolution... PHANTOMPULSE uses WinHTTP for C2 communication, dynamically loading winhttp.dll and resolving all required functions at runtime.
According to the Elastic Security Labs report, the implant carries three separate process injection techniques... PHANTOMPULSE ships with three distinct injection methods, each designed for a different payload type.
On Windows, an intermediate loader decrypts and reflectively loads payloads entirely in memory using AES-256-CBC... The C2 and URL are both decrypted using a simple string decryption function using a 16-byte rotating key.
PHANTOMPULL also employs a timer queue callback with a 50-millisecond delay to hand off execution, a tactic used to slip past sandbox environments.
Rather than calling the payload directly (which is easily detected by sandboxes), the loader uses a timer queue callback. The 50ms delay and separate-thread execution can evade various security/sandbox tooling.
The malware never writes its final stage to disk, making it far harder to detect through conventional file-based scanning.
PHANTOMPULL... decrypts and launches PHANTOMPULSE in memory.
Discovery
2 techniquesCommand and Control
2 techniquesThe loader uses the WinHTTP library to connect to the C2 on port 443... The C2 infrastructure is built around five API endpoints.
Once a foothold is established, an in-memory loader called PHANTOMPULL drops the PHANTOMPULSE implant onto the compromised system.
Other
1 techniqueA "novel" social engineering campaign has been observed abusing Obsidian... leveraging elaborate social engineering tactics through LinkedIn and Telegram... approaching prospective individuals under the guise of a venture capital firm and then moving the conversation to a Telegram group...
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
In-memory loader used in the REF6598 attack chain to deploy the PHANTOMPULSE implant onto compromised systems.
An in-memory PE loader used earlier in the intrusion chain to deliver the final-stage PHANTOMPULSE RAT.
An intermediate loader dropped via PowerShell on Windows that decrypts and launches PHANTOMPULSE in memory.
A loader that downloads as syncobs.exe, decrypts an AES-256-CBC encrypted payload from its resources, and reflectively loads the final stage entirely in memory. It also uses timer queue callback delays, dead code, and fake integrity checks as anti-analysis measures.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.