A Fake Tool That Looks Real
A new threat is making its way across the internet. Cybercriminals have created fake websites that look like trusted PDF converters but are actually tools for stealing personal data. These fake converters are designed to trick users into thinking they are using a safe and helpful service.
The real website, known as pdfcandy.com, is widely used by people who need to change file formats. It’s clean, simple, and trusted by millions. But two fake websites, candyxpdf[.]com and candyconverterpdf[.]com, have appeared online mimicking its look and feel. These imposters use similar names, designs, colors, and features to confuse visitors and appear genuine.
Although these fake sites are not as popular as the real one, they still received thousands of visits in March 2025. Candyxpdf[.]com had about 2,300 visits, while candyconverterpdf[.]com saw roughly 4,100. That number is worrying because it shows how even a small share of web traffic can lead to hundreds or thousands of people falling victim to a malware attack.
These fake sites are part of a wider scam where criminals take advantage of simple, everyday tasks like converting a file to trick users into downloading harmful software without realizing it.
How the Attack Works Behind the Scenes
Once someone visits one of these fake PDF conversion websites, everything appears normal. The user is allowed to upload a file for conversion, just like they would on any legitimate platform. However, instead of receiving a converted file, the user is given a command to run on their computer.
This command is a PowerShell instruction, which may look confusing or technical to most people. Believing it’s a normal part of the process, some users go ahead and run it.
What follows next is silent but dangerous. The command downloads a file disguised as adobe.zip. Inside this zip file is an application named audiobit.exe. When opened, this application uses a trusted Windows tool called MSBuild.exe to activate hidden malware called ArechClient2.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
The malware immediately starts collecting sensitive data. It looks for saved passwords in internet browsers, information from crypto wallets, and other private files stored on the device. It works quietly and quickly, sending this information back to the attackers without the user ever noticing anything is wrong.
This method is effective because it blends into systems so well. The malware uses tools that already exist on Windows computers, which means security programs often don’t flag it right away. This makes it harder to detect and even harder to stop once it’s running.
Why So Many People Are Falling for It
The criminals behind these fake converters are not just using technical tricks they are also using psychological ones. Their fake websites are carefully built to look convincing. They include common features like smooth page transitions, fake loading bars, and even CAPTCHA challenges that make them seem real.
A CAPTCHA test often made up of squiggly letters or image puzzles is something many people associate with trusted websites. Including it makes the fake site feel more secure, even though it’s the opposite. Once users feel comfortable, they are more likely to follow strange or unusual instructions, like running a command on their computer.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
This clever mix of visual trust and technical deception is what makes the attack work. People are not expecting danger from a simple PDF converter, so they let their guard down. That’s exactly what the attackers want.
Even though these websites haven’t reached massive levels of popularity, the fact that thousands have already visited them shows how quickly and quietly these scams can spread. A simple mistake visiting a fake site or clicking the wrong button can turn into a serious privacy breach.
