Thursday, April 24, 2025
HomeCyber AttackBeware! Online PDF Converters Tricking Users into Installing Password-Stealing Malware

Beware! Online PDF Converters Tricking Users into Installing Password-Stealing Malware

Published on

SIEM as a Service

Follow Us on Google News

CloudSEK’s Security Research team, a sophisticated cyberattack leveraging malicious online PDF converters has been demonstrated to target individuals and organizations globally.

This attack, previously hinted at by the FBI’s Denver field office, involves the distribution of potent malware, known as ArechClient2, which is a variant of the harmful SectopRAT family of information stealers.

The Deception Unveiled

The attackers ingeniously crafted fake websites, candyxpdf[.]com and candyconverterpdf[.]com, which arecl startlingly similar to the user experience of pdfcandy.com, a legitimate PDF conversion service.

- Advertisement - Google News

These deceptive platforms lure users with the promise of converting PDF files into DOCX format.

 Password-Stealing Malware
Mindmap of the malware campaign

However, this promise serves as a bait to exploit common file conversion needs to initiate an attack vector:

  • Visual Deception: The fake sites replicate the branding, logo, and overall design of pdfcandy.com, making them appear trustworthy to unsuspecting users.
  • User Interaction: Once a user proceeds with file conversion, a series of manipulated interactions are initiated:
    • Simulated Processing: A sequence mimicking file processing reassures users of the site’s functionality.
    • Fake Captcha: An abrupt captcha verification prompt is designed not only to legitimize the site but also to expedite the attack by hastening user actions.
    • PowerShell Execution: Users are tricked into running a PowerShell command, the linchpin in the cyber attack’s chain.
 Password-Stealing Malware
Website prompting the running of a PowerShell command

Technical Manipulation

The deceptive process culminates with the download of “adobe.zip” from bind-new-connect[.]click, a domain notorious for distributing ArechClient2 malware.

The payload, hosted on the IP address 172[.]86[.]115[.]43, contains an archive that expands to a “SoundBAND” folder with an executable “audiobit[.]exe”.

According to the Report, this execution triggers a multi-stage attack, employing cmd[.]exe and MSBuild[.]exe to install the information stealer stealthily.

To defend against these advanced threats, consider the following:

CategoryAction
Rely on Verified ToolsAlways use file conversion tools from their official websites rather than searching for “free converters.”
Technical Safeguards1. Keep anti-malware software updated and scan all downloads.
2. Implement endpoint detection and response (EDR) solutions.
3. Use DNS-level filters to block known malicious domains.
4. Check file integrity beyond just examining extensions.
User TrainingEducate users to spot red flags like PowerShell execution requests or minor URL variations.
Response to Compromise1. Isolate any potentially compromised device immediately.
2. Change all passwords using a secured, non-compromised device.
3. Alert financial institutions and report the incident to relevant authorities.

This detailed expose on the malicious PDF converter scheme underscores the sophistication of today’s cyber attackers.

By maintaining vigilance, employing robust security measures, and fostering an informed user base, one can significantly mitigate the risk of falling victim to such intricate cyber threats.

Indicators of Compromise (IOC)

IOCDescription
candyxpdf[.]comMalicious domain
candyconverterpdf[.]comAnother malicious domain
bind-new-connect[.]clickKnown malware distributor
172[.]86[.]115[.]43Malicious IP hosting “adobe.zip”
“adobe[.]zip”Malicious payload archive
“audiobit[.]exe”Malicious executable inside “adobe.zip”
72642E429546E5AB207633D3C6A7E2E70698EF65Hash for “adobe.zip”
51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834Hash for “audiobit[.]exe”

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Use 1000+ IP Addresses to Target Ivanti VPN Vulnerabilities

A sweeping wave of suspicious online activity is putting organizations on alert as hackers...

Blue Shield Exposed Health Data of 4.7 Million via Google Ads

Blue Shield of California has disclosed a significant data privacy incident affecting up to...

Microsoft Offers $30,000 Bounties for AI Security Flaws

Microsoft has launched a new bounty program that offers up to $30,000 to security...

The Human Firewall: Strengthening Your Weakest Security Link

Despite billions spent annually on cybersecurity technology, organizations continue to experience breaches with alarming...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Use 1000+ IP Addresses to Target Ivanti VPN Vulnerabilities

A sweeping wave of suspicious online activity is putting organizations on alert as hackers...

Blue Shield Exposed Health Data of 4.7 Million via Google Ads

Blue Shield of California has disclosed a significant data privacy incident affecting up to...

Microsoft Offers $30,000 Bounties for AI Security Flaws

Microsoft has launched a new bounty program that offers up to $30,000 to security...