Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

April 16, 2025, 1:21 p.m.

Description

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2, a variant of the SectopRAT information stealer. This malware is capable of harvesting sensitive data, including browser credentials and cryptocurrency wallet information. The attackers use deceptive tactics such as simulated processing, fake CAPTCHA prompts, and psychological manipulation to lower users' guards. The malware delivery process involves a complex redirection chain, ultimately leading to the download of a malicious payload disguised as 'adobe.zip'.

Date

  • Created: April 15, 2025, 8:46 p.m.
  • Published: April 15, 2025, 8:46 p.m.
  • Modified: April 16, 2025, 1:21 p.m.

Attack Patterns