Obsidian plugin was abused to deploy a remote access trojan