top of page
Buscar

The Workflow That Executes Itself

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 21 abr
  • 2 min de lectura

Modern attacks don’t always break systems — they guide users through them. In REF6598, attackers designed a full workflow where every step feels legitimate: a message, a collaboration, a shared vault. But behind it, each action is scripted to end in execution.


Phase 1: The Setup 


The operation starts with targeted outreach on LinkedIn, impersonating a venture capital firm. Victims are selected for their role in finance or cryptocurrency. The interaction moves to Telegram, where a staged group chat builds credibility through realistic discussions on liquidity and financial operations.

The goal is simple: build trust before execution.


Phase 2: The Workflow 


Victims are invited to access a shared dashboard via Obsidian. They connect to a cloud-hosted vault using provided credentials. The environment looks legitimate, aligned with the previous conversation.

But the vault is engineered, not shared.


Phase 3: The Switch 


To “complete” the setup, the victim is asked to enable community plugin synchronization. This feature is disabled by default and requires manual action — making the user the final trigger.

Once enabled, embedded JSON configurations activate:

  • Shell Commands → executes attacker-defined commands

  • Hider → removes UI indicators

Execution begins without raising suspicion.


Phase 4: The Execution Chain 


Platform-specific chains activate:

  • Windows: PowerShell launches PHANTOMPULL → decrypts and executes PHANTOMPULSE in memory

  • macOS: Obfuscated AppleScript iterates domains, uses Telegram as fallback, downloads and executes payload via osascript

No files need to look malicious. The chain runs through trusted processes.


Phase 5: Command & Control 


PHANTOMPULSE introduces a modern C2 model:

  • Uses Ethereum blockchain transactions to resolve server addresses

  • Communicates via WinHTTP

  • Supports commands for injection, file execution, screenshots, keylogging, privilege escalation

This dynamic resolution makes blocking infrastructure significantly harder.


Phase 6: Full Control 


Once active, the RAT enables:

  • System telemetry collection

  • Credential and keystroke capture

  • File exfiltration

  • Remote command execution


All within a low-noise environment, blending into legitimate activity.

REF6598 is not about exploiting software — it’s about exploiting behavior. By embedding execution into a trusted workflow, attackers bypass traditional defenses entirely.


PHANTOMPULSE shows how modern campaigns rely on:


  • Social engineering over exploitation

  • Legitimate tools over malware delivery chains

  • User interaction as the final execution step


Security must adapt accordingly. Protecting endpoints is no longer enough — organizations must secure workflows, validate trust boundaries, and monitor how legitimate tools are used.

Because in this model, the system isn’t compromised.

The process is.


The Hacker News


 
 
 

Comentarios

bottom of page