FormatDogWorkspace

100% SECURE PRIVATE SANDBOX

The FBI Warned About Fake PDF Converters. Here's Exactly How the Scam Works

Published 9 July 2026 · 8 min read

In March 2025, the FBI's Denver field office put out something you don't see very often: a public warning specifically about file converter websites. Not phishing emails, not fake shopping sites — the ordinary, everyday "convert my Word doc to PDF" tools that millions of people use without a second thought. The advisory described sites that looked completely normal, actually performed the conversion you asked for, and quietly installed malware on your computer at the same time.

This isn't a hypothetical "online tools can be risky" thought experiment. It's a specific, documented pattern that security researchers have since traced in detail, with real malware families, real fake domains, and a real technique for telling the difference. This piece walks through what's actually been found, and how to check any tool for yourself before you trust it with a file.

The short version: some file converter sites aren't just uploading your file to a server — they're actively distributing malware, either through a fake "download" step, a browser extension you're prompted to install, or malicious code hidden inside the file they hand back to you. The FBI's March 2025 advisory and multiple independent security research reports have documented this happening at scale.

What the FBI actually said

The advisory identified three distinct methods these sites use. Sometimes the "converter" you download to run locally is the malware itself, dressed up as a legitimate desktop tool. Sometimes the site prompts you to install a browser extension to "enable" the conversion, and the extension is the payload. And sometimes the conversion genuinely works — you get back a real, functional PDF — except it has something embedded inside it that activates when you open it later. The FBI specifically flagged ransomware as one of the outcomes, alongside browser hijackers, adware, and credential-stealing malware capable of harvesting Social Security numbers, banking logins, cryptocurrency wallets, passwords, and even session tokens that let attackers bypass multi-factor authentication entirely.

The most common bait, according to the advisory, is exactly the kind of everyday task that makes people let their guard down: converting a Word document to PDF, or the reverse, or combining a few photos into one PDF file.

A real, documented example

Security researchers at CloudSEK later published a detailed technical breakdown of one such campaign, built entirely around impersonating a real, popular PDF conversion service called PDFCandy. The fake sites — running on lookalike domains, not the real pdfcandy.com — displayed a fake processing animation and an unusual CAPTCHA step, purely to build trust and make the moment feel routine. That CAPTCHA step ended by getting the visitor to copy and run a PowerShell command.

That single command was the entire attack. It pulled down a file disguised as "adobe.zip" through a chain of shortened links, which unpacked into an executable that launched legitimate-looking Windows processes to quietly install a credential-stealing program called ArechClient2, a variant of a known info-stealer family called SectopRAT. Once running, it was built specifically to pull saved browser logins and cryptocurrency wallet data off the infected machine.

None of that required a sophisticated hack. It required a visitor trusting a website that looked close enough to a real one, at a moment when copying and pasting a command into PowerShell felt like a normal part of "converting a file."

The one red flag that matters most

Strip away the specifics and there's a single, reliable signal running through basically every case researchers have documented: legitimate file conversion, whether it happens on a server or right in your browser, never requires you to download an installer, add a browser extension, or run a command yourself. The moment a "PDF converter" asks you to do any of those three things, it has already stopped being a converter and started being something else.

This is worth remembering precisely because it cuts against instinct. A site that asks you to install something can feel more official, not less — like it's a "real program" rather than a website. That instinct is exactly what these campaigns are built to use.

How this is structurally different from the privacy trade-off we usually write about

Most of what we cover on this blog is about legitimate tools that process your file on a real server, which raises a privacy question worth thinking about — not a malware one. That's a genuinely different, much lower-stakes category than what's described here. The tools in the FBI's warning aren't reputable services making an ordinary architectural choice; they're built specifically to deceive.

FormatDog's tools don't fall into either the malicious category above, or the "your file goes to our server" category we write about elsewhere on this blog — they're built entirely as JavaScript and WebAssembly running in your browser tab, with no installer, no browser extension, and no separate program to run. That's not a claim you have to take on faith: it's exactly what the verification steps below are for.

How to actually check, on any converter, in under a minute

You don't need security training to catch most of what's described above. A few concrete checks:

The takeaway

This isn't a reason to distrust every free conversion tool, including the many legitimate ones that upload your file to a real server and handle it responsibly. It's a reason to take the FBI's specific, dated warning seriously: a meaningful share of "PDF converter" results in a search engine aren't converters at all, and the difference usually comes down to one moment — being asked to install, run, or download something you didn't go looking for. Catch that moment, and you catch essentially everything described here.

Sources