Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

Detect double extensions with Threat Protection Pro

NordVPN scans the files you’re downloading and notifies you about double extensions.

NordVPN Double Extension Detection feature

What are double extensions?

Cybercriminals use double extensions to trick internet users into downloading and executing a malicious file. They use familiar extensions like .docx or .pdf to hide the real extension of an executable file (like project.pdf.exe). The most commonly used double extensions are .pdf.exe, .doc.exe, .jpg.exe, .txt.vbs, and .zip.exe.
.jpeg file with attached .exe malicious malware

How do double extensions work?

Most file management software hide file extensions by default, so you see document.pdf instead of document.pdf.exe. The icon is also often changed to match the fake extension, which is the main reason why people in a hurry tend to overlook the fake extension, even if it’s not hidden. When unsuspecting victims open a file like this, they install malicious software on their devices.

stay safe with Double Extension Detection from cybercriminals from around the world

Dangers of double file extensions

Since using double extensions is a simple, effective, and cheap way to trick distracted users into downloading and opening an executable file, hackers often employ this method. This is how cybercriminals managed to infect thousands of devices with CryptoLocker ransomware and extract 3M dollars from their victims.

How to avoid executing files with double extensions?

Double extensions could pose a real threat to your Windows device. Here’s what you can do to stop them:

man detects double extension on a file
Woman is reading a phishing email
NordVPN automatically detects malicious double extensions on downloaded files

How to enable the double file extension detection

Turn Threat Protection Pro on and let it take care of everything.


Open the NordVPN app.


Click on the shield icon.


Turn on file protection.

internet disconected man laptop md

What to do if you’ve opened a file with a double extension

You might need help removing some malware, but there are a few things you can do on your own:

  1. Disconnect the infected device from the internet to prevent further spread.
  2. Boot Windows into Safe Mode to restrict the malware’s operations.
  3. Use a reliable and up-to-date antivirus to scan and remove the threat.
  4. Manually delete any suspicious and unrecognized files (but only if you know what to look for).
  5. If the threat is serious and your files are backed up, consider a full system wipe.
  6. If you suspect you accidentally installed a keylogger, change passwords on all your sensitive accounts.


Try NordVPN risk free

30-day money-back guarantee — no questions, no hassle. Enjoy peace of mind when surfing online.

NordVPN 30 days 100% money back guarantee