Fake File Converter Websites are Pushing Malware

Cobalt Strike, DocuFix, file converters, Gootloader, malware, Ophtek, PDFixers, security software, trusted sites, , , , , , , ,
22
Apr 2025

The FBI has warned that fake online file converters are spreading malware, potentially leading to data theft, financial loss, and ransomware attacks.

Cybercriminals are creating fake file conversion websites which appear to offer free tools for converting documents, images, and other file types. Many people use these types of file converters to convert a PDF to a Word document, extract audio from video files, or change an image file to a more suitable format. However, instead of just providing a conversion service, these malicious websites are also infecting users’ PCs with malware.

This attack is especially dangerous as PC users regularly access file conversion websites, but they don’t realize that these sites could be dangerous. Once a visitor has their converted file, they assume all is well. Unfortunately, behind the scenes, much more is going on.

Converting Your Files into Malware

The fake file converter websites often appear in search engine results or through online ads, making them appear safe and legitimate. Some of the most recent ones to have been identified as being at risk include DocuFix and PDFixers. When a user visits one of these sites, they’re typically instructed to upload the file they want to convert. Once the file is uploaded, the website provides a download link for the “converted” file.

However, this file is not what it seems. Although the downloaded file may be a correctly converted file, it will also have malware hidden in it. As well as containing malware, these fake websites will also analyze files uploaded by users for sensitive data e.g. if someone has uploaded a PDF file containing financial information, the threat actors behind the website will be able to harvest this. In many cases, a correctly converted file isn’t even included in the available download, with malware such as Gootloader and Cobalt Strike being the only files on offer.

The impact of this malware can be catastrophic. Running quietly in the background, it can capture personal data, launch ransomware attacks, or even take control of the PC. Accordingly, all PC users need to tread carefully online.

Staying Safe from the Threat of Fake Converters

File converter websites are incredibly useful, but only when they’re the real deal and do exactly what they claim. However, as most internet users accessing these sites are busy working on something, they don’t always pay attention to the site they’re visiting. And this is where cybercriminals have an opportunity to exploit this trust. Therefore, it’s crucial that you understand these best practices for staying safe:

  • Only Use Trusted Sites: Never use a file converter website that you haven’t thoroughly researched. Always conduct a quick Google search for reviews of the website and carefully read the most recent comments. Even if you’re a regular user of a particular converter website, always double check that the URL is correct – many threat actors mimic official websites by changing a letter or two in order to appear genuine.
  • Be Cautious When Downloading: Always scan any downloaded files from the internet with your security software. These security tools are regularly updated to identify all new strains of malware and can stop you executing any malicious files. Additionally, if a file converter asks you to install further tools to convert your files, you should immediately stop.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Cybercriminals Exploit Tax Season: Stay Alert to Scams

AHKBot, BruteRatel C4, GULoader, Install Patches, malicious emails, malicious sites, Ophtek, Phishing Email, Tax Scams, Update Software, , , , , , , ,
10
Apr 2025

Cybercriminals are exploiting the urgency of tax season to launch phishing scams aimed at stealing personal and financial data.

Once again, the tax filing deadline is fast approaching for Americans and cybercriminals are preparing to take advantage of this seasonal chaos. Microsoft has recently issued a warning about a surge in tax-themed phishing campaigns targeting both individuals and businesses. These scams are designed to look convincing – often replicating official communications from the IRS or trusted tax companies– and are very successful at tricking people into revealing sensitive data or installing malware.

Luckily, Ophtek has your back and we’re here to give you some advice on how you can stay safe.

Understanding Tax-Related Phishing Scams

At the core of these scams are phishing emails which use urgency and fear to catch victims off guard and cause them to commit an action. The emails may, for example, claim there’s a problem with your tax filing, warn of an audit, or promise that a tax refund is due. These emails often contain subject names such as “EMPLOYEE TAX REFUND REPORT” or “Tax Strategy Update Campaign Goals” which, once opened, can install malicious software.

Typically, the emails also contain PDF attachments – with names such as lrs_Verification_Form_1773.pdf – which are used to redirect users to malicious website containing malware. In certain cases, the emails also include links or QR codes that redirect users to fake websites made to resemble genuine tax portals. The goal is simple: get users to enter their personal or financial details or download malware.

But not all of these phishing emails are easily identifiable as threatening or suspicious. Some start with relatively harmless messages to build trust. Once the target feels comfortable, follow-up emails are used to introduce more dangerous content. This makes it more likely the user will activate a malicious payload compared to an email received out of the blue. A wide range of malware has been observed in these attacks with GuLoader, AHKBot, and BruteRatel C4 just a few of those involved.

Protect Your Finances and Your Tax Returns

The financial and personal impact of these attacks can be significant for victims. As well as the potential financial loss, those affected often face further headaches in the form of frozen credit, blacklisting, and stolen tax refunds. For businesses, the consequences can extend to data breaches, costly compliance violations, and significant downtime. Accordingly, you need to tread carefully during tax season and make sure you follow these best practices:

  • Verify Email Authenticity: It’s crucial that you check the authenticity of all emails you receive, especially those which call for an urgent action to be performed. Always check the email address of emails received and make sure they’re not using an unusual domain spelling e.g. I-R-S@tax0ffice.com
  • Be Careful of Attachments and Links: Never open attachments from unknown sources as these could easily contain malware. Likewise, be careful when dealing with links – hover your mouse cursor over any suspicious links to reveal the genuine destination and Google the true URLs to identify any potential threat.
  • Keep Your Software Updated: Finally, make sure that your software is always up-to-date and has the latest security patches installed. This can strengthen your cyber defenses and make it much harder for threat actors to take advantage of software vulnerabilities.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

TP-Link Routers Exploited with Ease by Vulnerability

cyberattack, default passwords, Ophtek, remote management, router firmware update, security patches, security_updates, TP-Link Archer AX-21, , , , , , ,
08
Apr 2025

A recent cyberattack has compromised thousands of TP-Link routers, turning them into a botnet which spreads malware and launches cyberattacks worldwide.

Cybersecurity researchers have discovered a widespread attack where threat actors exploited a vulnerability (CVE-2023-1389) in TP-Link Archer AX-21 routers. This security flaw allows attackers to take control of unpatched routers remotely, recruiting them – alongside thousands of others – into part of a botnet. What’s a botnet? Well, luckily Ophtek is here to explain: a botnet is a network of infected devices used for malicious activities on a huge scale.

At least 6,000 routers have been affected, with compromised devices being found all across the world in Brazil, Poland, the UK, Bulgaria, and Turkey. Once one of the TP-Link routers are infected, they can spread malware to other devices on the same network or be used as part of a coordinated botnet attack.

How Were the TP-Link Routers Exploited?

The threat-actors behind the attack started by simply scanning the internet for any vulnerable TP-Link routers that had not been updated with the latest security patches. Each time a router was found with the vulnerability in place, the attackers were able to exploit a remote code execution flaw – which allowed the hackers to install malware on the router.

Once infected, these routers became part of the Ballista botnet, which the threat actors were able to control remotely. As more and more routers, and devices connected to them, were recruited, Ballista became even more powerful. This enabled it to spread malware to further PCs and devices, launch DDoS attacks to flood websites and disrupt online services, and steal sensitive data passing through the router.

Why Should PC Users be Concerned?

All modern PCs rely on routers to connect to the internet and internal IT infrastructures, but many people take them for granted and don’t consider them a security risk. Accordingly, many PC users have been caught out by not updating their router’s firmware or keeping their device’s default password, both of which make them easy targets for hackers. As TP-Link router users have discovered, an infected router can quickly become a major security risk, sending data to hackers without the user being aware.

Keeping Your Router Safe from Vulnerabilities

It’s highly likely that you own a router or regularly use a computer connected to one. Regardless of the make and model, all routers have the potential to be compromised by threat actors. Here’s how you can stay safe:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Taiwan Businesses Targeted by Winos 4.0 Malware

malicious emails, National Taxation Bureau, Ophtek, Phishing, Silver Fox, Taiwan, Win 4.0, , , , , , ,
01
Apr 2025

A recent cyberattack has targeted Taiwanese companies using phishing emails which appear to be from Taiwan’s National Taxation Bureau.

In this attack, cybercriminals sent phishing emails to businesses in Taiwan, pretending to be officials from the National Taxation Bureau. These emails contained malicious attachments designed to infect victims’ computers with malware. The threat actors’ aim was to steal sensitive information and gain unauthorized access to IT infrastructures, enabling the attackers to have easy access to secure data.

How Did the Winos Attack Unfold?

The threat actors created emails which, at a quick glance, appeared official and claimed to provide a list of companies scheduled for tax inspections. The recipients were urged to download a zip file containing this list. However, contained within this ZIP file was a dangerous DLL file named lastbld2Base.dll. Once this file was activated, it set in motion a series of malicious actions – the most prominent of which was to download the Winos 4.0 malware. Winos 4.0 allowed the threat actors to take screenshots, record keystrokes, and remotely execute commands on the infected devices.

Once installed, Winos 4.0 gave the attackers deep access to the compromised systems. This access made the malware a powerful tool for carrying out espionage, especially given that the main targets appeared to be corporate businesses. These types of targets allowed the threat actors to gain access to huge amounts of personal data, rather than targeting individuals one at a time to harvest such data.

Security researchers believe that a hacking group known as Silver Fox are the perpetrators behind the attack. Silver Fox has a history of targeting Chinese-speaking users and has previously been observed using fake software installers and malicious game optimization apps to deceive victims.

Protecting Yourself from Such Attacks

This incident is further evidence that phishing campaigns are becoming more deceptive and underlining the importance of social engineering tactics for hackers. Many people glance over their emails quickly and, if they see an official and trusted government logo, the chances are that they’ll believe it’s genuine. However, it’s important that you and your employees stay safe, so make sure you practice the following:

  • Be Careful with Email Attachments: Always double check the authenticity of and email before downloading or opening email attachments, especially if they are unexpected or urge you to perform a specific action. If an email claims, for example, to be from a government agency, visit the official website to confirm its legitimacy before opening any attachments.
  • Keep Software Updated: Regularly updating your operating system and security software is crucial for protecting your PCs against known vulnerabilities. Many cyberattacks take advantage of outdated software with numerous vulnerabilities, so keeping your system up to date should be a priority at all times.
  • Educate Employees: Ensuring that your staff can recognize phishing attempts is crucial in 2025, as is carrying out safe email practices to prevent accidental exposure to malware or malicious links. Implementing cybersecurity awareness programs should be a priority for your IT inductions. Regular refresher courses should also be to help consolidate this learning.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Google Ads Used to Push Fake Google Chrome Installer

google ads, Google Chrome, malware, Ophtek, SecTopRat, security software, security_updates, , , , , ,
25
Mar 2025

Cybercriminals are exploiting Google Ads to distribute malware disguised as a genuine Google Chrome installer, tricking users into downloading the malware.

Threat actors are always innovative, and this recent attack underlines exactly why you need to be on your guard when online. Attackers have been purchasing ads which appear when PC users search for popular software downloads e.g. Google Chrome. Unfortunately, the ads which are served up lead to dangerous websites which closely resemble official download pages. This deception tricks users into downloading and installing malware.

As we spend a high proportion of our work time online, we’re going to dig deep into this attack to see what we can learn.

How Can Google Ads Compromise Your PC?

In this attack, users searching with terms such as “download Google Chrome” might find themselves confronted with a sponsored ad at the top of their search results. This ad can, at first, appear genuine, often having a URL which includes “sites.google.com” – a Google platform used to build free websites. Accordingly, users feel confident that these pages are official and trustworthy, especially when they look very similar to official download sites.

Once a user clicks the ad, they’re redirected to a malicious page which is a highly convincing imitation of the official Google Chrome download site. This page urges users to download a file named “GoogleChrome.exe” and, so far, everything appears as you would expect. With nothing unusual to suspect, users make the decision to trust the page, download the file, and then launch it.

However, once executed, the installer begins to act suspiciously. Firstly, it connects to a remote server to retrieve additional instructions. Secondly, it requests that they user grants it administrative privileges to assist in completing the download. At this point, alarm bells should start ringing, but most users still feel as though the software can be trusted. Once administrative privileges are granted, the installer executes a PowerShell command which prevents Windows Defender from scanning the malware’s location, enabling it to operate quietly in the background.

A further file is then downloaded to the BackupWin directory and, masquerading under the name of a genuine piece of software, opens up a communication channel with the threat actors’ remote server. The malware used is SecTopRAT, a Remote Access Trojan which allows the attackers to take remote control of the infected system and steal sensitive data such as capturing keystrokes, accessing files, and recording user activities.

Protecting Against the SecTopRAT Threat

Your employees are busy with their daily tasks and, therefore, it’s easy for them to have a lapse of judgement and quickly click on something they believe to be genuine. However, this can be disastrous for your IT infrastructure, so it’s crucial that your staff are mindful of the following:

  • Be Cautious of Sponsored Ads: Just because an ad is that the top of the search results, this doesn’t mean it can be trusted. This is why it’s important to always verify the authenticity of a URL before clicking it. Check for any unusual spellings or, to be fully safe, navigate directly to the official website for that software.
  • Only Download from Official Sources: The best approach is to always head straight to the developers website rather than trusting other online sources. Aside from sponsored ads, it’s critical that your team avoids downloading via links in emails or through torrent sites – both of these sources often lead to nothing but malware.
  • Keep Your Security Software Updates: One of the simplest ways to thwart attackers is to make sure your security software is up to date. This software regularly scans your system for threats, but it needs to be updated as soon as possible to detect the latest threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
1 2 3 61