Adversary Intelligence
5
mins read

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

What looks like a harmless online file conversion could be a trap set by cybercriminals. CloudSEK’s latest investigation uncovers a stealthy malware campaign where fake PDF-to-DOCX converters, mimicking the popular PDFCandy.com, trick users into running malicious PowerShell commands. The endgame? A powerful information stealer that hijacks browser credentials, crypto wallets, and more. Dive into our detailed breakdown of this social engineering scam, its technical anatomy, and how to stay a step ahead of such byte bandits.

Varun Ajmera
April 15, 2025
Green Alert
Last Update posted on
April 15, 2025
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

Online PDF converters have become essential tools in daily digital workflows. On March 17, 2025, the FBI's Denver field office issued an alert regarding malicious online file converters being used to distribute malware. This prompted CloudSEK's Security Research team to conduct an in-depth investigation into these threats to understand their mechanisms and develop protective measures.

This report examines a sophisticated attack involving a malicious PDF-to-DOCX converter that impersonates the legitimate service pdfcandy.com. The threat actors meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users. The attack vector involves tricking victims into executing a PowerShell command that installs Arechclient2 malware, a variant of the dangerous SectopRAT information stealer family known for harvesting sensitive data from compromised systems.

Our analysis details the technical aspects of this attack, the indicators of compromise, and provides actionable recommendations to help organizations and individuals protect themselves against such sophisticated social engineering tactics.

Fig 1: Mindmap of the malware campaign

Analysis

Fig 2: Home page of candyxpdf[.]com 

Fig 3: Home page of candyconverterpdf[.]com

Figures 2 and 3 showcase the landing and home pages of two identified malicious file conversion websites, both expertly impersonating the legitimate pdfcandy.com service. These fraudulent sites meticulously replicate pdfcandy.com's visual identity, including its logo and brand elements, creating a convincing facade. Upon arrival, users are immediately prompted to upload a PDF file for conversion to Word (.docx) format, exploiting a common file conversion need to initiate the attack vector.

Modus Operandi 

Fig 4: Fake Captcha and completed conversion of sample PDF file

Upon initiating the PDF conversion process, the malicious website employs a series of sophisticated social engineering tactics to manipulate user behavior:

  1. Simulated Processing: The site displays an animated loading sequence, creating the illusion of genuine file processing. This step is designed to build trust and lower the user's guard.
  2. Immediate Captcha Prompt: Following the fake processing animation, the site abruptly presents a captcha verification dialog, as illustrated in Figure 4. This unexpected interruption serves multiple purposes:
    • It mimics legitimate security practices, further enhancing the site's perceived authenticity.
    • It creates a sense of urgency, potentially rushing the user into action without careful consideration.
    • The CAPTCHA acts as a pivotal interaction point where the malicious payload can be triggered.
  3. Psychological Manipulation: By presenting familiar elements in an unexpected sequence, the attackers exploit the user's learned behaviors and expectations when interacting with web services.

This carefully crafted user flow demonstrates the attackers' understanding of human psychology and web design conventions, highlighting the sophisticated nature of this social engineering attack.

Fig 5: Website prompting the running of a PowerShell command

Following the deceptive CAPTCHA interaction, the website prompts users to execute a PowerShell command (shown below) with detailed instructions as illustrated in Figure 5—a critical point where social engineering transitions to system compromise.

Technical Analysis 

Fig 6: Web request to download malicious “adobe.zip” payload

Upon decoding the command, we discovered a sophisticated redirection chain designed to obscure the malware delivery process. The initial connection targets "bind-new-connect[.]click/santa/bee" disguised as a seemingly innocuous "https[://]bitly[.]cx[/]SMma" shortened URL. This redirect, shown in Figure 6, subsequently forwards to "https[://]bitly[.]cx[/]Www0" which then chains to "bind-new-connect[.]click/marmaris/later" - the actual endpoint serving the malicious "adobe.zip" payload. As per ThreatFox, the domain "bind-new-connect[.]click” is a known distributor of the ArechClient malware belonging to the SectopRAT family of information stealers. This sophisticated .NET-based Remote Access Trojan has been active since 2019 and possesses extensive capabilities for stealing sensitive data, including browser credentials and cryptocurrency wallet information.

The malicious "adobe.zip" file was hosted on IP address 172[.]86[.]115[.]43, which has been flagged as malicious by multiple security vendors according to VirusTotal analysis. SectopRAT typically employs various distribution methods, including malvertising through Google Ads and fake application updates, to maximize infection rates.

Fig 7: Contents of the “adobe.zip” payload

The contents of the “adobe.zip” can be seen in Figure 7 above. This archive expands to a folder named “SoundBAND” and contains a malicious executable file “audiobit[.]exe”. The full malware analysis of this entire archive can be found in this ANY.RUN sandbox report

Fig 8: Run tree of the malicious executable

The execution of "audiobit[.]exe" triggers a sophisticated multi-stage attack chain where "cmd[.]exe" is spawned, which subsequently launches "MSBuild[.]exe"—a legitimate Windows utility now weaponized to load and execute the ArechClient2 information stealer, as illustrated in Figure 9 below.

Fig 9: Contents of MSBuild flagged as malicious and containing ArechClient2 information stealer

Indicators of Compromise (IOC)

IOC
candyxpdf[.]com
candyconverterpdf[.]com
bind-new-connect[.]click/santa/bee
bind-new-connect[.]click/marmaris/later
172[.]86[.]115[.]43
“adobe[.]zip” (Hash: 72642E429546E5AB207633D3C6A7E2E70698EF65)
“audiobit[.]exe” (Hash: 51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834)

Recommendations for Protection

To protect against malicious file converters like the one analyzed in this report, organizations and individuals should:

  1. Use only trusted, reputable file conversion tools from official websites rather than searching for "free online file converters".
  2. Implement robust technical controls, including:
    • Keep antivirus/anti-malware software updated and scan all downloaded files before opening
    • Deploy endpoint detection and response (EDR) solutions to detect suspicious behaviors
    • Utilize DNS-level traffic filtering to block known malicious domains
    • Consider browser extensions that block malicious sites
  3. Verify file types beyond just extensions, as malicious files often masquerade as legitimate document types.
  4. Implement content disarm and reconstruction (CDR) technology to remove potentially embedded threats from documents.
  5. Establish file upload restrictions in corporate environments, including limiting allowed file types and maximum file sizes.
  6. Educate users to recognize warning signs of malicious converters, such as:
    • Requests to run PowerShell or command-line instructions
    • Suspicious URLs that mimic legitimate services with slight variations
    • Unexpected captcha verifications or additional downloads
  7. Develop and regularly test incident response plans to quickly address infections when they occur.
  8. Consider using offline conversion tools that don't require uploading files to remote servers.
  9. If a system is potentially compromised:
    • Immediately isolate the affected device
    • Change all passwords using a clean device
    • Contact financial institutions to protect accounts
    • Report the incident to the appropriate authorities

References

Author

Varun Ajmera

Varun Ajmera is a Security Researcher and a key member of the TRIAD team, specializing in uncovering emerging cyber threats and analyzing their impact. With a focus on proactive defense, Varun contributes to enhancing organizational security through in-depth research and actionable insights.

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

5

min read

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

What looks like a harmless online file conversion could be a trap set by cybercriminals. CloudSEK’s latest investigation uncovers a stealthy malware campaign where fake PDF-to-DOCX converters, mimicking the popular PDFCandy.com, trick users into running malicious PowerShell commands. The endgame? A powerful information stealer that hijacks browser credentials, crypto wallets, and more. Dive into our detailed breakdown of this social engineering scam, its technical anatomy, and how to stay a step ahead of such byte bandits.

Authors
Varun Ajmera
Varun Ajmera is a Security Researcher and a key member of the TRIAD team, specializing in uncovering emerging cyber threats and analyzing their impact. With a focus on proactive defense, Varun contributes to enhancing organizational security through in-depth research and actionable insights.
Co-Authors
No items found.

Executive Summary

Online PDF converters have become essential tools in daily digital workflows. On March 17, 2025, the FBI's Denver field office issued an alert regarding malicious online file converters being used to distribute malware. This prompted CloudSEK's Security Research team to conduct an in-depth investigation into these threats to understand their mechanisms and develop protective measures.

This report examines a sophisticated attack involving a malicious PDF-to-DOCX converter that impersonates the legitimate service pdfcandy.com. The threat actors meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users. The attack vector involves tricking victims into executing a PowerShell command that installs Arechclient2 malware, a variant of the dangerous SectopRAT information stealer family known for harvesting sensitive data from compromised systems.

Our analysis details the technical aspects of this attack, the indicators of compromise, and provides actionable recommendations to help organizations and individuals protect themselves against such sophisticated social engineering tactics.

Fig 1: Mindmap of the malware campaign

Analysis

Fig 2: Home page of candyxpdf[.]com 

Fig 3: Home page of candyconverterpdf[.]com

Figures 2 and 3 showcase the landing and home pages of two identified malicious file conversion websites, both expertly impersonating the legitimate pdfcandy.com service. These fraudulent sites meticulously replicate pdfcandy.com's visual identity, including its logo and brand elements, creating a convincing facade. Upon arrival, users are immediately prompted to upload a PDF file for conversion to Word (.docx) format, exploiting a common file conversion need to initiate the attack vector.

Modus Operandi 

Fig 4: Fake Captcha and completed conversion of sample PDF file

Upon initiating the PDF conversion process, the malicious website employs a series of sophisticated social engineering tactics to manipulate user behavior:

  1. Simulated Processing: The site displays an animated loading sequence, creating the illusion of genuine file processing. This step is designed to build trust and lower the user's guard.
  2. Immediate Captcha Prompt: Following the fake processing animation, the site abruptly presents a captcha verification dialog, as illustrated in Figure 4. This unexpected interruption serves multiple purposes:
    • It mimics legitimate security practices, further enhancing the site's perceived authenticity.
    • It creates a sense of urgency, potentially rushing the user into action without careful consideration.
    • The CAPTCHA acts as a pivotal interaction point where the malicious payload can be triggered.
  3. Psychological Manipulation: By presenting familiar elements in an unexpected sequence, the attackers exploit the user's learned behaviors and expectations when interacting with web services.

This carefully crafted user flow demonstrates the attackers' understanding of human psychology and web design conventions, highlighting the sophisticated nature of this social engineering attack.

Fig 5: Website prompting the running of a PowerShell command

Following the deceptive CAPTCHA interaction, the website prompts users to execute a PowerShell command (shown below) with detailed instructions as illustrated in Figure 5—a critical point where social engineering transitions to system compromise.

Technical Analysis 

Fig 6: Web request to download malicious “adobe.zip” payload

Upon decoding the command, we discovered a sophisticated redirection chain designed to obscure the malware delivery process. The initial connection targets "bind-new-connect[.]click/santa/bee" disguised as a seemingly innocuous "https[://]bitly[.]cx[/]SMma" shortened URL. This redirect, shown in Figure 6, subsequently forwards to "https[://]bitly[.]cx[/]Www0" which then chains to "bind-new-connect[.]click/marmaris/later" - the actual endpoint serving the malicious "adobe.zip" payload. As per ThreatFox, the domain "bind-new-connect[.]click” is a known distributor of the ArechClient malware belonging to the SectopRAT family of information stealers. This sophisticated .NET-based Remote Access Trojan has been active since 2019 and possesses extensive capabilities for stealing sensitive data, including browser credentials and cryptocurrency wallet information.

The malicious "adobe.zip" file was hosted on IP address 172[.]86[.]115[.]43, which has been flagged as malicious by multiple security vendors according to VirusTotal analysis. SectopRAT typically employs various distribution methods, including malvertising through Google Ads and fake application updates, to maximize infection rates.

Fig 7: Contents of the “adobe.zip” payload

The contents of the “adobe.zip” can be seen in Figure 7 above. This archive expands to a folder named “SoundBAND” and contains a malicious executable file “audiobit[.]exe”. The full malware analysis of this entire archive can be found in this ANY.RUN sandbox report

Fig 8: Run tree of the malicious executable

The execution of "audiobit[.]exe" triggers a sophisticated multi-stage attack chain where "cmd[.]exe" is spawned, which subsequently launches "MSBuild[.]exe"—a legitimate Windows utility now weaponized to load and execute the ArechClient2 information stealer, as illustrated in Figure 9 below.

Fig 9: Contents of MSBuild flagged as malicious and containing ArechClient2 information stealer

Indicators of Compromise (IOC)

IOC
candyxpdf[.]com
candyconverterpdf[.]com
bind-new-connect[.]click/santa/bee
bind-new-connect[.]click/marmaris/later
172[.]86[.]115[.]43
“adobe[.]zip” (Hash: 72642E429546E5AB207633D3C6A7E2E70698EF65)
“audiobit[.]exe” (Hash: 51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834)

Recommendations for Protection

To protect against malicious file converters like the one analyzed in this report, organizations and individuals should:

  1. Use only trusted, reputable file conversion tools from official websites rather than searching for "free online file converters".
  2. Implement robust technical controls, including:
    • Keep antivirus/anti-malware software updated and scan all downloaded files before opening
    • Deploy endpoint detection and response (EDR) solutions to detect suspicious behaviors
    • Utilize DNS-level traffic filtering to block known malicious domains
    • Consider browser extensions that block malicious sites
  3. Verify file types beyond just extensions, as malicious files often masquerade as legitimate document types.
  4. Implement content disarm and reconstruction (CDR) technology to remove potentially embedded threats from documents.
  5. Establish file upload restrictions in corporate environments, including limiting allowed file types and maximum file sizes.
  6. Educate users to recognize warning signs of malicious converters, such as:
    • Requests to run PowerShell or command-line instructions
    • Suspicious URLs that mimic legitimate services with slight variations
    • Unexpected captcha verifications or additional downloads
  7. Develop and regularly test incident response plans to quickly address infections when they occur.
  8. Consider using offline conversion tools that don't require uploading files to remote servers.
  9. If a system is potentially compromised:
    • Immediately isolate the affected device
    • Change all passwords using a clean device
    • Contact financial institutions to protect accounts
    • Report the incident to the appropriate authorities

References