Fake PDF Converters Used to Deploy ArechClient2 Malware, Warns CloudSEK

CloudSEK’s security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer.

This comes just weeks after the FBI's Denver office issued a public alert warning of malicious online file converters being leveraged to deliver malware.

The report reveals how cybercriminals have crafted deceptive websites, such as candyxpdf[.]com and candyconverterpdf[.]com, that meticulously mimic the legitimate pdfcandy.com service. 

These fraudulent platforms lure users into executing a malicious PowerShell command, initiating a complex infection chain that delivers malware capable of stealing sensitive data, including browser credentials, cryptocurrency wallets, and other personal information. 

A Sophisticated Blend of Deception and Technology

The campaign employs advanced social engineering to exploit users’ trust. Victims uploading a PDF for conversion encounter a fake processing animation, followed by an unexpected CAPTCHA prompt designed to enhance the site’s perceived legitimacy and rush users into action.

This leads to instructions to run a PowerShell command, which triggers a redirection chain through domains like bind-new-connect[.]click, ultimately delivering a malicious “adobe.zip” payload. The archive contains “audiobit[.]exe,” which leverages legitimate Windows tools like MSBuild[.]exe to deploy Arechclient2. 

“This campaign highlights how cybercriminals exploit everyday digital tools. By combining psychological manipulation with technical sophistication, these attackers turn routine tasks like file conversion into opportunities for data theft. Our research aims to equip individuals and organizations with the knowledge to stay safe,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.

The scale of this threat becomes clear when considering the popularity of the legitimate PDFCandy.com, which attracts approximately 2.8 million monthly visits.

Notably, India represents the largest segment of its user base, accounting for 19.07% or roughly 533,960 monthly visitors. This substantial audience provides a vast pool of potential victims for the threat actors behind this malicious campaign.

While the fraudulent sites, candyxpdf[.]com and candyconverterpdf[.]com, saw approximately 2,300 and 4,100 visits respectively in March 2025, these numbers demonstrate active exploitation of the impersonated service's popularity.

How the Attack Works

• Spoofed Websites: Domains like candyxpdf[.]com and candyconverterpdf[.]com imitate the real PDFCandy website.
   
• Deceptive Flow: Fake file conversion followed by a CAPTCHA prompt creates trust and urgency.
   
• Malware Trigger: Users are prompted to run a PowerShell command, leading to the download of a malicious ZIP file masquerading as a legitimate Adobe resource.
   
• Payload Execution: The ZIP contains audiobit.exe, which executes via MSBuild.exe – a legitimate Windows utility weaponized to run ArechClient2. (Read Full Report, For More Information)
   

CloudSEK’s technical analysis traced the malware delivery chain through multiple redirections, eventually landing on a known malicious domain (bind-new-connect[.]click) to deliver the payload. The attacker’s infrastructure, command chain, and payload hashes are included in the full report.

This campaign demonstrates a growing trend where attackers prey on routine digital activities—like file conversion—to compromise systems. Given the increasing use of online converters in corporate and personal workflows, this type of attack has wide-ranging implications for cybersecurity hygiene.

Protecting Against the Threat

CloudSEK’s report provides actionable recommendations to safeguard individuals and organisations:

• Stick to Trusted Tools: Use reputable file conversion services from official websites and avoid unverified “free” converters.
• Strengthen Technical Defenses: Keep antivirus software updated, deploy endpoint detection and response (EDR) solutions, and use DNS filtering to block malicious domains.
• Educate Users: Train employees to recognize red flags, such as suspicious URLs, unexpected CAPTCHAs, or prompts to run command-line instructions.
• Incident Response: Isolate compromised devices, change passwords from a clean device, and report incidents to authorities promptly.
• Offline Alternatives: Consider offline conversion tools to avoid uploading sensitive files to remote servers.