CloudSEK’s Security Research team, a sophisticated cyberattack leveraging malicious online PDF converters has been demonstrated to target individuals and organizations globally.
This attack, previously hinted at by the FBI’s Denver field office, involves the distribution of potent malware, known as ArechClient2, which is a variant of the harmful SectopRAT family of information stealers.
The attackers ingeniously crafted fake websites, candyxpdf[.]com and candyconverterpdf[.]com, which arecl startlingly similar to the user experience of pdfcandy.com, a legitimate PDF conversion service.
These deceptive platforms lure users with the promise of converting PDF files into DOCX format.
However, this promise serves as a bait to exploit common file conversion needs to initiate an attack vector:
The deceptive process culminates with the download of “adobe.zip” from bind-new-connect[.]click
, a domain notorious for distributing ArechClient2 malware.
The payload, hosted on the IP address 172[.]86[.]115[.]43, contains an archive that expands to a “SoundBAND” folder with an executable “audiobit[.]exe”.
According to the Report, this execution triggers a multi-stage attack, employing cmd[.]exe
and MSBuild[.]exe
to install the information stealer stealthily.
To defend against these advanced threats, consider the following:
Category | Action |
---|---|
Rely on Verified Tools | Always use file conversion tools from their official websites rather than searching for “free converters.” |
Technical Safeguards | 1. Keep anti-malware software updated and scan all downloads. |
2. Implement endpoint detection and response (EDR) solutions. | |
3. Use DNS-level filters to block known malicious domains. | |
4. Check file integrity beyond just examining extensions. | |
User Training | Educate users to spot red flags like PowerShell execution requests or minor URL variations. |
Response to Compromise | 1. Isolate any potentially compromised device immediately. |
2. Change all passwords using a secured, non-compromised device. | |
3. Alert financial institutions and report the incident to relevant authorities. |
This detailed expose on the malicious PDF converter scheme underscores the sophistication of today’s cyber attackers.
By maintaining vigilance, employing robust security measures, and fostering an informed user base, one can significantly mitigate the risk of falling victim to such intricate cyber threats.
IOC | Description |
---|---|
candyxpdf[.]com | Malicious domain |
candyconverterpdf[.]com | Another malicious domain |
bind-new-connect[.]click | Known malware distributor |
172[.]86[.]115[.]43 | Malicious IP hosting “adobe.zip” |
“adobe[.]zip” | Malicious payload archive |
“audiobit[.]exe” | Malicious executable inside “adobe.zip” |
72642E429546E5AB207633D3C6A7E2E70698EF65 | Hash for “adobe.zip” |
51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834 | Hash for “audiobit[.]exe” |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…