Analysis of Qike PDF Converter Malware and Its Silent Propagation Mechanism

According to Huorong threat‑intelligence monitoring, Huorong engineers found that the Qike PDF Converter carries a malicious proxy module and is being promoted silently through a download‑site downloader.

Recent user feedback indicated unexplained computer lag and high CPU usage.

Processes such as svchost.exe , FnClientService.exe , and FnClientService20.exe were observed accessing a large number of unfamiliar URLs.

Engineers traced the cause of these symptoms to the installation of the Qike PDF Converter.

The converter primarily spreads silently by using the download‑site’s downloader to install itself without user awareness.

During installation, it releases a malicious proxy module into the %appdata%\tx directory.

In simple terms, the hidden module makes the infected computer visit many unknown websites, leading to increased CPU usage and system sluggishness.

Even if the user uninstalls the Qike PDF Converter, the malicious module remains as a system service that starts automatically on boot, achieving permanent residence on the machine.

Multiple versions of the Qike PDF Converter and its malicious modules have been discovered, all sharing highly similar code.

Trace analysis revealed that both the installer package and the malicious svchost.exe module originate from a technology company in Hangzhou, as shown in the signature information below.

The company’s website “ZL Software” mainly provides traffic‑proxy services.

Silent promotion through dubious download sites is a well‑known tactic: users click a “high‑speed download” link, receive a downloader instead of the intended software, and the downloader bundles unwanted junk programs in the background.

The previously widespread “Malatang” virus also used such collaborations with malicious download sites to distribute infected tools.

Qike PDF Converter spreads in the same manner, turning infected PCs into bots that are difficult for users to detect.

Huorong reports that the malware affects tens of thousands of users daily and advises everyone to stay vigilant.

The Huorong security suite has updated its virus definitions to detect and remove the Qike PDF Converter; users who have installed it should run a scan to ensure their systems are clean.