Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Free Converter Apps that Convert your Clean System to Infected in Seconds
CyberSecurity News

Free Converter Apps that Convert your Clean System to Infected in Seconds

Deceptive advertisements are propagating malicious file converter applications, resulting in thousands of systems becoming infected with persistent remote access trojans (RATs). These seemingly...

Marcus Rodriguez
Marcus Rodriguez
January 19, 2026 3 Min Read
31 0

Deceptive advertisements are propagating malicious file converter applications, resulting in thousands of systems becoming infected with persistent remote access trojans (RATs).

These seemingly legitimate productivity tools perform their advertised functions while secretly installing backdoors that give attackers continuous access to victim computers.

Nextron Systems found that the infection chain typically begins with malicious Google advertisements placed on legitimate websites, including video game download pages, adult content sites, and productivity tool websites.

When users search for file conversion tools like “Word to PDF converter” or image converters, these ads appear at the top of search results, making them appear trustworthy. Clicking the ad redirects victims through multiple domains before landing on fake converter websites that deliver trojanized software.

The malicious payload delivery websites share distinctive characteristics that make them recognizable once identified. Domains like ez2convertapp[.]com, convertyfileapp[.]com, powerdocapp[.]com, and pdfskillsapp[.]com all present prominent download buttons and similar page structures, including FAQs, feature descriptions, and privacy policies.

Free Converter Apps Infect Systems
Malicious Websites (Source: Nextron Systems)

Many of these domains don’t host dropper files directly but instead redirect users to additional domains that provide the actual malicious downloads.

Code Signing Creates False Legitimacy

To evade detection and appear trustworthy, attackers sign their malware with code signing certificates from publishers like BLUE TAKIN LTD, TAU CENTAURI LTD, and SPARROW TIDE LTD.

While many certificates have been revoked after discovery, new campaigns continuously emerge with fresh, valid certificates that bypass basic security checks. This allows the malware to appear as legitimate software to both end users and security tools performing signature verification.

After download, the converter applications written in C# drop additional payloads into the %LocalAppData% directory and create scheduled tasks that execute “updater” binaries every 24 hours.

According to Nextron Systems analysis, the scheduled tasks typically start one day after initial infection, and this “+1 day” offset serves as a useful forensic indicator for pinpointing the initial access timestamp. A system-specific UUID stored in an id.txt file identifies each victim during command-and-control (C2) communications.

The final-stage payload functions as a generic execution engine that contacts attacker-controlled C2 servers to retrieve and execute malicious .NET assemblies. These RATs provide attackers with capabilities including data theft, keylogging, screen capture, file system access, and the ability to download additional malware.

Free Converter Apps Infect Systems
C2 Authentication (Source: Nextron Systems)

The UpdateRetriever.exe component authenticates with the C2 server, receives executable code, and runs it silently on the victim system while sending results back to attackers.

Organizations can detect these infections by monitoring Windows Event ID 4698 (scheduled task created) in Security.evtx logs, which requires enabling object access auditing.

Suspicious scheduled tasks executing from %LocalAppData% directories serve as excellent detection anchors, especially when combined with Sysmon Event ID 13 registry monitoring and Task Scheduler Operational events.

Additional defenses include implementing application control policies, such as AppLocker, to block execution from user-writable locations, and creating deny rules for identified malicious code-signing certificates.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurity

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

CIRO Confirms Data Breach – 750,000 Canadian Investors Have been Impacted

Next Post

New Spear-Phishing Attack Abusing Google Ads to Deliver EndRAT Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us