Do Son 
Image: @BushidoToken
The FBI has issued a warning: free online document converters may lead to malware infections and, in some cases, ransomware attacks. Alarmingly, such incidents have become increasingly frequent in recent months.
Cybercriminals have been setting up websites that appear to offer a simple and helpful service—converting files from one format to another. This might include transforming a “.doc” file into a “.pdf,” merging multiple “.jpg” images into a single file, or downloading music and videos in “.mp3” or “.mp4” formats. However, alongside the requested file, users may unknowingly receive a concealed malicious payload.
According to the FBI, many of these sites do indeed perform the advertised function, which lowers users’ defenses. At the same time, a file containing malicious code is silently delivered to the device. This grants attackers remote access to the victim’s computer, opening the door to further attacks—from data theft to the deployment of ransomware.
The danger is particularly acute when users upload documents containing sensitive information. The contents of such files may be extracted, including names, email addresses, Social Security numbers, banking details, cryptocurrency wallet credentials, passwords, and secret recovery phrases.
The Denver division of the FBI has already received reports from victims, including a government agency. Officials note that attackers often mimic legitimate URLs, altering a single letter or appending suffixes like “INC” instead of “CO” to deceive unsuspecting users.
Complicating matters further, search engines frequently prioritize promoted results—some of which may be fraudulent converters in disguise. Users searching for “free online converter” are especially vulnerable to such traps.
Security researcher @BushidoToken cited examples of suspicious sites like “docu-flex[.]com” and “pdfixers[.]com,” which distributed malicious executable files. Analysis revealed that these files were identified as malware and could be used to install trojans and other forms of spyware.
Another researcher tracking the spread of Gootloader malware reported that similar fake converters were promoted through Google ad campaigns. Upon visiting the site, users were shown a PDF upload form, but instead of receiving the expected DOCX file, they were delivered a ZIP archive containing a malicious JavaScript file.
Gootloader is commonly used to deliver a variety of dangerous payloads—from banking trojans to remote access tools like Cobalt Strike. These attacks often mark the initial stage of a broader infiltration into corporate networks, after which attackers can move laterally across infrastructure and deploy ransomware—frequently associated with notorious groups such as REvil and BlackSuit.
While not all online converters are inherently malicious, cybersecurity experts advise users to carefully scrutinize the source, avoid obscure or unfamiliar sites, and remain cautious if an executable or JavaScript file is downloaded instead of the expected document. Such files typically signal an attempt to infect the system.
Verifying a website’s reputation, reading user reviews, and avoiding the download of suspicious files can significantly reduce the risk. In cases of uncertainty, it is safest to forgo the use of such services altogether.
