2 days Ago By NDTV Profit Tech
A sophisticated malware campaign using fake PDF-to-DOCX conversion tools is infecting unsuspecting users with a powerful information stealer. The malware is capable of stealing sensitive data, including browser credentials, cryptocurrency wallets, and other personal information, a report by cybersecurity company CloudSek shows. This comes just weeks after the FBI's Denver office issued a public alert warning of malicious online file converters being used to deliver malware.
The report reveals how cybercriminals have crafted deceptive websites, such as candyxpdf[.]com and candyconverterpdf[.]com, that mimic the popular pdfcandy.
com service, a PDF toolkit that attracts approximately 2.8 million monthly visits.Notably, India represents the largest segment of pdfcandy.
com user base, accounting for 19.07% or roughly 533,960 monthly visitors, providing a vast pool of potential victims for threat actors. The two fraudulent sites saw approximately 2,300 and 4,100 visits respectively in March 2025.
How PDF Converter Malware Attack WorksThe malware campaign employs advanced social engineering to exploit users’ trust. Spoofed Websites: Domains like candyxpdf[.]com and candyconverterpdf[.
]com imitate the real PDFCandy website.Deceptive Flow: Victims uploading a PDF for conversion encounter a fake processing animation. Fake file conversion is followed by a Captcha prompt, creating trust and urgency.
Malware Trigger: Victims are prompted to run a PowerShell command, leading to the download of a malicious ZIP file masquerading as a legitimate Adobe resource.Payload Execution: The ZIP contains audiobit.exe, which executes via MSBuild.
exe—a legitimate Windows utility weaponised to run ArechClient2. ArechClient2 is a .NET remote access trojan that can track users’ devices, steal crypto wallets and credentials, and even control users’ browser sessions through a secondary system.
Wider ImplicationsThis campaign demonstrates a growing trend where attackers prey on routine digital activities — like file conversion — to compromise systems. Given the increasing use of online converters in corporate and personal workflows, this type of attack has wide-ranging implications for cybersecurity hygiene.Protecting Against Malware ThreatCloudSek's report provides recommendations to safeguard individuals and organisations, including:Stick To Trusted Tools: Use reputable file conversion services from official websites and avoid unverified "free" converters.
Strengthen Technical Defences: Keep antivirus software updated, deploy endpoint detection and response solutions, and use DNS filtering to block malicious domains.Educate Users: Train employees to recognise red flags, such as suspicious URLs, unexpected Captchas or prompts to run command-line instructions.Incident Response: Isolate compromised devices, change passwords from a clean device, and report incidents to authorities promptly.
Offline Alternatives: Consider offline conversion tools to avoid uploading sensitive files to remote servers.Apple Edges Samsung To Become World’s No. 1 Smartphone Brand — Here’s How.
Read more on Technology by NDTV Profit..
