A new malware campaign is utilizing fake PDF to DOCX converters to install malicious PowerShell commands on victims' devices, primarily aiming at crypto wallets. This scheme, highlighted in a recent FBI alert, involves users being tricked into executing a command that downloads the Arechclient2 malware—a variant of the SectopRAT family known for stealing sensitive information. Malicious websites mimic legitimate converters like PDFCandy, providing fake loading screens to deceive users. After several redirects, the malware—disguised as an 'adobe.zip' file—is downloaded, enabling attackers to access browser credentials and cryptocurrency wallet information. The malware is capable of capturing seed phrases and interacting with Web3 APIs to deplete assets. Experts recommend using trusted antivirus programs and verifying file types beyond their extensions, advising reliance on reputable conversion tools instead of suspicious online services. In a related note, Kaspersky has identified similar malware disguised as Microsoft Office Add-Ins on SourceForge, which also targets crypto wallets by manipulating clipboard data.

Source 🔗