Fake PDF Converters Used to Spread ArechClient2 Malware, CloudSEK Warns

In a new cybersecurity alert, researchers from CloudSEK have exposed a stealthy malware campaign using fake PDF-to-DOCX converters to deploy a powerful information-stealing trojan known as ArechClient2. The malicious campaign involves rogue websites that mimic legitimate services, tricking users into downloading malware disguised as routine file conversion tools.

Imitating Trustworthy Services

At the centre of this fake PDF converters campaign are two fraudulent websites: candyxpdf[.]com and candyconverterpdf[.]com. Both are sophisticated clones of the widely used PDFCandy.com, which sees around 2.8 million monthly users—nearly 20% of them from India. The fake websites replicate the legitimate service’s interface, displaying processing animations and CAPTCHA prompts to build user trust.

According to CloudSEK’s report, once a user uploads a file, the site instructs them to execute a PowerShell command—a key red flag. This triggers a complex redirection flow through domains like bind-new-connect[.]click, ultimately leading to the download of a file named adobe.zip. Inside is audiobit.exe, the executable that uses a legitimate Windows utility (MSBuild.exe) to install the ArechClient2 malware.

How the Attack Works

CloudSEK’s detailed breakdown shows how attackers exploit familiar digital habits to deploy malware:

Spoofed Domains: Fake PDF converters closely mimic real services.

Social Engineering: Visual cues like CAPTCHA and file-processing animations add legitimacy.

Malware Trigger: Users are manipulated into running a PowerShell command.

Payload Delivery: A malicious ZIP file contains an executable launched via a trusted system tool.

Final Infection: The ArechClient2 malware is quietly installed to steal browser data, crypto wallets, and other sensitive information.

Despite their short lifespan, the fake sites attracted over 6,000 visits in March 2025 alone—evidence of active exploitation by cybercriminals.

Fake PDF Converters Used to Spread ArechClient2 Malware – CloudSEK

Wider Implications

This campaign isn’t just about one set of fake websites—it signals a broader shift in how malware is delivered. Threat actors are capitalizing on user familiarity and urgency by hijacking common tasks like file conversion. Online tools, while convenient, now present a major security risk when sourced from unverified platforms.

“As threat actors become more creative with their tactics, cybersecurity must evolve to prioritize behaviour-based detection, user awareness, and zero-trust principles,” said Varun Ajmera, Threat Intelligence Researcher at CloudSEK.

How to Stay Safe

CloudSEK’s report offers clear guidance for individuals and businesses:

Use Verified Tools: Always rely on official domains for file conversion services.

Update Security Solutions: Antivirus, EDR, and DNS filtering tools should be kept current.

Raise Awareness: Educate users on red flags like odd URLs, CAPTCHAs on unknown sites, or prompts to run command-line actions.

Respond Quickly: Isolate affected devices, reset credentials, and notify IT/security teams.

Go Offline: Use trusted offline tools for sensitive document conversions where possible.

A Wake-Up Call for Cyber Hygiene

This campaign is a reminder that convenience should never come at the cost of security. As routine online tools are increasingly exploited, the need for vigilance, secure habits, and updated defences has never been more urgent.