How the Qike PDF Converter Turns PCs into Botnets: Malware Analysis and Prevention

Huorong’s threat intelligence system detected that the Qike PDF Converter includes a malicious proxy module that is distributed through silent promotion by download‑site installers. Users who install the converter experience unexplained CPU spikes and system lag because the hidden module contacts numerous unfamiliar URLs.

The malicious component is dropped into the %appdata%\tx directory during installation and runs under system processes such as svchost.exe, FnClientService.exe, and FnClientService20.exe. Even after the converter is uninstalled, the proxy module remains as a system service that starts automatically, ensuring permanent residence on the infected PC.

Analysis showed that all observed versions of the malicious module share highly similar code. Tracing the installer and the dropped svchost.exe revealed they originate from a Hangzhou‑based technology company, whose website “ZL Software” offers traffic‑proxy services. The company’s signing information is displayed in the accompanying screenshot.

The distribution method mirrors common silent‑promotion tactics used by many adware download sites: users click a “high‑speed download” link, receive a downloader instead of the intended software, and the downloader silently bundles additional unwanted programs. This technique was also employed by the notorious “Mala Xiang Guo” virus in earlier domestic outbreaks.

When the Qike PDF Converter is installed, the hidden proxy module turns the user’s computer into a botnet node, allowing attackers to control the machine without the user’s knowledge. Huorong reports that the malware affects tens of thousands of users daily.

Huorong has updated its virus definitions to detect and remove the Qike PDF Converter and its associated malicious modules. Users who have previously installed the converter are advised to run a full scan with the latest Huorong security software to ensure complete removal.