Malware News FBI: Free file converter sites and tools deliver malware

[Gandalf_The_Grey]

Content source

https://www.helpnetsecurity.com/2025/03/18/fbi-free-file-converter-sites-and-tools-deliver-malware/

Malware peddlers are increasingly targeting users who are searching for free file converter services (websites) and tools, the FBI’s Denver Field Office has warned earlier this month.

“To conduct this scheme, cyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool,” the FBI said.

“These converters and downloading tools will do the task advertised, but the resulting file can contain hidden malware giving criminals access to the victim’s computer.”

Also, some of these tools and services can analyze the files submitted by the users, and scrape them for personal identifying information (PII), banking and crypto-related info (e.g., crypto wallet seed phrases), passwords, and other sensitive information.

Malwarebytes researcher Pieter Arntz provided a list of domains hosting sites that ostensibly provide file conversion services or tools, but actually engage in phishing and delivering trojans, adware and “riskware” – a category that encompasses programs that are not strictly malicious, but pose some sort of risk for the user (e.g., programs that can be used as a backdoor for other malware, may be illegal, or may violate the terms of service of other software or a user platform):

• Imageconvertors[.]com (Phishing)
• Convertitoremp3[.]it (Riskware)
• Convertisseurs-pdf[.]com (Riskware)
• Convertscloud[.]com (Phishing)
• Convertix-api[.]xyz (Trojan)
• Convertallfiles[.]com (Adware)
• Freejpgtopdfconverter[.]com (Riskware)
• Primeconvertapp[.]com (Riskware)
• 9convert[.]com (Riskware)
• Convertpro[.]org (Riskware)

FBI: Free file converter sites and tools deliver malware - Help Net Security

Malware peddlers are increasingly targeting users who are searching for free file converter services (websites) and tools.

www.helpnetsecurity.com

 

[Zero Knowledge]

Yeah it's a problem, converting YouTube to 320kbs is a pain now . Sites offering malware extensions so be careful, site admins limit you if you convert too much (YES I know your watching ).

 

[nicolaasjan]

See also:
Malware News - FBI Denver Warns of Online File Converter Scam

Just to be sure, I put these in my hosts file:

0.0.0.0 9convert.com
0.0.0.0 convertallfiles.com
0.0.0.0 convertisseurs-pdf.com
0.0.0.0 convertitoremp3.it
0.0.0.0 convertix-api.xyz
0.0.0.0 convertpro.org
0.0.0.0 convertscloud.com
0.0.0.0 freejpgtopdfconverter.com
0.0.0.0 imageconvertors.com
0.0.0.0 primeconvertapp.com

For file conversion, I have several shell scripts, which can be called via the right-click menu on Linux Mint.

 

[brambedkar59]

Yeah it's a problem, converting YouTube to 320kbs is a pain now .

Why would you even do that? Convert from one lossy codec to another lossy codec. Losing quality while increasing file size. Instead download the file in whatever format it is stored on YT servers (eg. Opus, aac etc.) with yt-dlp.

Edit: m4a is a container not a codec

 

[Morro]

See also:
Malware News - FBI Denver Warns of Online File Converter Scam

Just to be sure, I put these in my hosts file:

0.0.0.0 9convert.com
0.0.0.0 convertallfiles.com
0.0.0.0 convertisseurs-pdf.com
0.0.0.0 convertitoremp3.it
0.0.0.0 convertix-api.xyz
0.0.0.0 convertpro.org
0.0.0.0 convertscloud.com
0.0.0.0 freejpgtopdfconverter.com
0.0.0.0 imageconvertors.com
0.0.0.0 primeconvertapp.com

For file conversion, I have several shell scripts, which can be called via the right-click menu on Linux Mint.

Added those to my NextDNS blocklist.

Why would you even do that? Convert from one lossy format to another lossy format. Losing quality while increasing file size. Instead download the file in whatever format it is stored on YT servers (eg. Opus, m4a, aac etc.) with yt-dlp.

Never heard of that one, will take a look at it.

 

[brambedkar59]

Never heard of that one, will take a look at it.

Just to be clear yt-dlp is a cmd-line open source program with no official GUI. There are several unofficial GUIs available for it, I use this:

GitHub - ErrorFlynn/ytdlp-interface: Windows graphical interface for yt-dlp, designed as a simple YouTube downloader

Windows graphical interface for yt-dlp, designed as a simple YouTube downloader - ErrorFlynn/ytdlp-interface

github.com

Edit: changed "native" to "official"

 

[Morro]

Just to be clear yt-dlp is a cmd-line open source program with no native GUI. There are several unofficial GUIs available for it, I use this:

GitHub - ErrorFlynn/ytdlp-interface: Windows graphical interface for yt-dlp, designed as a simple YouTube downloader

Windows graphical interface for yt-dlp, designed as a simple YouTube downloader - ErrorFlynn/ytdlp-interface

github.com

I noticed, thank you for the GUI link.

 

[Zero Knowledge]

Why would you even do that? Convert from one lossy format to another lossy format. Losing quality while increasing file size. Instead download the file in whatever format it is stored on YT servers (eg. Opus, m4a, aac etc.) with yt-dlp.

Audio formats/quality is a subject I'm not a expert in, thanks for the link. I just assumed 320kbs is the highest audio rate and quality under FLAC. Never knew there were better options.

 

[nicolaasjan]

I just assumed 320kbs is the highest audio rate and quality under FLAC.

The aac (in m4a container) and especially the opus codec achieve the same quality at roughly half the bitrate.
(opus is the best option, but not all devices can play it)

Also, it depends on the quality of the audio that was uploaded to YouTube in the first place!
Some just upload 128kbps mp3 grabbed from e.g. Soundcloud.
YT then converts it to m4a and opus and in the process there is even more loss.

mp3 is considered ancient now.

 

[The_King]

Just to be clear yt-dlp is a cmd-line open source program with no official GUI. There are several unofficial GUIs available for it, I use this:

GitHub - ErrorFlynn/ytdlp-interface: Windows graphical interface for yt-dlp, designed as a simple YouTube downloader

Windows graphical interface for yt-dlp, designed as a simple YouTube downloader - ErrorFlynn/ytdlp-interface

github.com

Edit: changed "native" to "official"

Sorry for the slightly off topic, but is this working for anyone on YT?

I get a please sign in error to show you are not a bot, but there is no option to sign in on the GUI?

changed from IOS to Android still getting errors

 

[Morro]

Sorry for the slightly off topic, but is this working for anyone on YT?

I get a please sign in error to show you are not a bot, but there is no option to sign in on the GUI?
View attachment 287800

changed from IOS to Android still getting errors
View attachment 287801

Well, I got that sign in problem at first, but after I had set the settings seen in the "settings" picture under Building the source section, that message was gone.

But, then I got some warning that chrome cookies could not be imported or something, even though I had set the GUI to import cookies from Brave. Maybe we both are doing something wrong?

 

[nicolaasjan]

Sorry for the slightly off topic, but is this working for anyone on YT?

I get a please sign in error to show you are not a bot, but there is no option to sign in on the GUI?
View attachment 287800

changed from IOS to Android still getting errors
View attachment 287801

Is this video lXuAf8ly6hs?

But, then I got some warning that chrome cookies could not be imported or something, even though I had set the GUI to import cookies from Brave. Maybe we both are doing something wrong?

Chrome cookies can't be imported when the browser is open.
Try with Firefox.

--cookies-from-browser firefox

Then it will work:
(however for some reason the download also proceeded here without providing cookies)

Spoiler: CLI

yt-dlp https://www.youtube.com/watch?v=lXuAf8ly6hs
Extracting cookies from firefox
Extracted 48 cookies from firefox
[youtube] Extracting URL: https://www.youtube.com/watch?v=lXuAf8ly6hs
[youtube] lXuAf8ly6hs: Downloading webpage
[youtube] lXuAf8ly6hs: Downloading tv client config
[youtube] lXuAf8ly6hs: Downloading player 69f581a5
[youtube] lXuAf8ly6hs: Downloading tv player API JSON
[SponsorBlock] Fetching SponsorBlock segments
[SponsorBlock] Found 1 segments in the SponsorBlock database
[info] lXuAf8ly6hs: Downloading 1 format(s): 298+140
[info] Downloading video thumbnail 41 ...
[info] Writing video thumbnail 41 to: /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.webp
[ThumbnailsConvertor] Converting thumbnail "/dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.webp" to jpg
Deleting original file /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.webp (pass -k to keep)
[download] Destination: /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.f298.mp4
[download] 100% of   40.49MiB in 00:00:01 at 26.31MiB/s
[download] Destination: /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.f140.m4a
[download] 100% of    1.62MiB in 00:00:00 at 20.57MiB/s
[Merger] Merging formats into "/dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.mp4"
Deleting original file /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.f140.m4a (pass -k to keep)
Deleting original file /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.f298.mp4 (pass -k to keep)
[ModifyChapters] Removing chapters from /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.mp4
Deleting original file /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.uncut.mp4 (pass -k to keep)
[Metadata] Adding metadata to "/dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.mp4"
[EmbedThumbnail] mutagen: Adding thumbnail to "/dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.mp4"

This was done via command line. Configuration was read from my config file.
I also used:

--sponsorblock-remove all

Also, make sure you are using the latest Nightly build.

 

[Morro]

Is this video lXuAf8ly6hs?

Chrome cookies can't be imported when the browser is open.
Try with Firefox.

--cookies-from-browser firefox

Then it will work:
(however for some reason the download also proceeded here without providing cookies)

yt-dlp https://www.youtube.com/watch?v=lXuAf8ly6hs
Extracting cookies from firefox
Extracted 48 cookies from firefox
[youtube] Extracting URL: https://www.youtube.com/watch?v=lXuAf8ly6hs
[youtube] lXuAf8ly6hs: Downloading webpage
[youtube] lXuAf8ly6hs: Downloading tv client config
[youtube] lXuAf8ly6hs: Downloading player 69f581a5
[youtube] lXuAf8ly6hs: Downloading tv player API JSON
[SponsorBlock] Fetching SponsorBlock segments
[SponsorBlock] Found 1 segments in the SponsorBlock database
[info] lXuAf8ly6hs: Downloading 1 format(s): 298+140
[info] Downloading video thumbnail 41 ...
[info] Writing video thumbnail 41 to: /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.webp
[ThumbnailsConvertor] Converting thumbnail "/dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.webp" to jpg
Deleting original file /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.webp (pass -k to keep)
[download] Destination: /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.f298.mp4
[download] 100% of   40.49MiB in 00:00:01 at 26.31MiB/s
[download] Destination: /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.f140.m4a
[download] 100% of    1.62MiB in 00:00:00 at 20.57MiB/s
[Merger] Merging formats into "/dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.mp4"
Deleting original file /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.f140.m4a (pass -k to keep)
Deleting original file /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.f298.mp4 (pass -k to keep)
[ModifyChapters] Removing chapters from /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.mp4
Deleting original file /dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.uncut.mp4 (pass -k to keep)
[Metadata] Adding metadata to "/dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.mp4"
[EmbedThumbnail] mutagen: Adding thumbnail to "/dev/shm/test-dlp/Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison | 2025 Chinese Grand Prix.mp4"

This was done via command line. Configuration was read from my config file.
I also used:

--sponsorblock-remove all

Also, make sure you are using the latest Nightly build.

OK, thank you.

EDIT: I just had to change the cookies to none, and the new nightly build and now it works perfectly.

 

[The_King]

This was done via command line. Configuration was read from my config file.
I also used:

--sponsorblock-remove all

Also, make sure you are using the latest Nightly build.

Works perfectly using the CLi , it helps I grew up on DOS so perfectly fine using CLi instead of GUI.

Spoiler: YT CLi

 

[Morro]

Works perfectly using the CLi , it helps I grew up on DOS so perfectly fine using CLi instead of GUI.

Spoiler: YT CLi

View attachment 287806

I grew up using DOS as well, but apparently you remember more of it than me, so nowadays I prefer a GUI if possible.

 

[brambedkar59]

Sorry for the slightly off topic, but is this working for anyone on YT?

I get a please sign in error to show you are not a bot, but there is no option to sign in on the GUI?
View attachment 287800

changed from IOS to Android still getting errors
View attachment 287801

Try updating the yt-dlp and ffmpeg builds. I am on stable build and it's working fine. I have never used yt-dlp CLI because I didn't need to.
You can download latest ffmpeg builds from here too.
Also, r/youtubedl is friendly place to ask questions.

Spoiler: settings

Spoiler: Log

[GUI] executing command line: "D:\Backup\Media\ytdlp-interface\yt-dlp.exe" -x -f 251 --no-mtime -P "D:\Music Download" -o "%(title)s.%(ext)s" "www.youtube.com/watch?v=lXuAf8ly6hs"

[generic] Extracting URL: www.youtube.com/watch?v=lXuAf8ly6hs
WARNING: [generic] The url doesn't specify the protocol, trying with http
[youtube] Extracting URL:
[youtube] lXuAf8ly6hs: Downloading webpage
[youtube] lXuAf8ly6hs: Downloading tv client config
[youtube] lXuAf8ly6hs: Downloading player 69f581a5
[youtube] lXuAf8ly6hs: Downloading tv player API JSON
[youtube] lXuAf8ly6hs: Downloading ios player API JSON
[youtube] lXuAf8ly6hs: Downloading m3u8 information
[info] lXuAf8ly6hs: Downloading 1 format(s): 251
[download] Destination: D:\Music Download\Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison ｜ 2025 Chinese Grand Prix.webm
[ExtractAudio] Destination: D:\Music Download\Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison ｜ 2025 Chinese Grand Prix.opus
Deleting original file D:\Music Download\Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison ｜ 2025 Chinese Grand Prix.webm (pass -k to keep)

[GUI] yt-dlp.exe process has exited

Edit: added more screnshots

 

[The_King]

Try updating the yt-dlp and ffmpeg builds. I am on stable build and it's working fine. I have never used yt-dlp CLI because I didn't need to.
Also, r/youtubedl is friendly place to ask questions.

Spoiler: settings

View attachment 287808View attachment 287807

Spoiler: Log

[GUI] executing command line: "D:\Backup\Media\ytdlp-interface\yt-dlp.exe" -x -f 251 --no-mtime -P "D:\Music Download" -o "%(title)s.%(ext)s" "www.youtube.com/watch?v=lXuAf8ly6hs"

[generic] Extracting URL: www.youtube.com/watch?v=lXuAf8ly6hs
WARNING: [generic] The url doesn't specify the protocol, trying with http
[youtube] Extracting URL:
[youtube] lXuAf8ly6hs: Downloading webpage
[youtube] lXuAf8ly6hs: Downloading tv client config
[youtube] lXuAf8ly6hs: Downloading player 69f581a5
[youtube] lXuAf8ly6hs: Downloading tv player API JSON
[youtube] lXuAf8ly6hs: Downloading ios player API JSON
[youtube] lXuAf8ly6hs: Downloading m3u8 information
[info] lXuAf8ly6hs: Downloading 1 format(s): 251
[download] Destination: D:\Music Download\Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison ｜ 2025 Chinese Grand Prix.webm
[ExtractAudio] Destination: D:\Music Download\Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison ｜ 2025 Chinese Grand Prix.opus
Deleting original file D:\Music Download\Lewis Hamilton and Max Verstappen's Ghost Car Lap Comparison ｜ 2025 Chinese Grand Prix.webm (pass -k to keep)

[GUI] yt-dlp.exe process has exited

After clicking on both the update buttons in settings, now the GUI is working as well.

Spoiler: YT GUI

 

[brambedkar59]

After clicking on both the update buttons in settings, now the GUI is working as well.

Spoiler: YT GUI

View attachment 287811

Nice
PS I like Jdownloader2 better when I only need to download video. It can download entire playlist with ease (it updates very frequently to counter any YT changes). But for audio I prefer yt-dlp.

 

[nicolaasjan]

I do have a kind of GUI.
Using the "Open With" extension in Firefox.
For me this is the fastest way to use yt-dlp.

Setup is a bit cumbersome though; you need to have Python installed, since Open With needs a file outside of the browser to communicate with.

Spoiler: To complete installation

Unfortunately not maintained any more, but still works great.

Spoiler: Screenshot

PS,
The UI of this Firefox fork is heavily modified with custom style sheet (CustomCSSforFx).

 

[nicolaasjan]

I think we're getting a bit offtopic...