A new threat is targeting movie lovers who search for the latest films online. Cybercriminals are now using the popularity of Leonardo DiCaprio’s new film, One Battle After Another, to spread the dangerous Agent Tesla malware.
What appears to be a simple movie download actually contains a series of hidden PowerShell scripts that install a Remote Access Trojan on Windows computers.
This malware gives attackers complete control over infected devices, allowing them to steal personal and financial information.
The fake movie torrent has already reached thousands of users. When someone downloads what looks like the film, they receive a folder containing several files that seem normal.
However, clicking on a shortcut file named CD.lnk starts a complex attack process that runs entirely in the background without the user knowing.
The malware uses legitimate Windows tools like CMD, PowerShell, and Task Scheduler to hide its activities and avoid detection by security software.
Bitdefender security researchers identified this threat after noticing an unusual increase in detections related to the movie torrent.
Their investigation revealed a carefully designed attack method that uses multiple layers of encryption and scripts hidden inside what appear to be normal subtitle and image files.
The entire process runs in memory, meaning no suspicious files are written to the hard drive, making it extremely difficult for traditional security tools to catch.
The infection starts when users open the CD.lnk file, which they think will play the movie. Instead, this file runs a hidden command that reads specific lines from a subtitle file called Part2.subtitles.srt.
These lines contain batch code that launches PowerShell scripts. The clever part is that the subtitle file actually contains real movie subtitles, but lines 100 to 103 hide the malicious code that starts everything.
How the Attack Unfolds Through Multiple Stages
The PowerShell commands extract and decode encrypted data from the same subtitle file. Using AES encryption techniques, the malware creates five separate PowerShell scripts in a hidden folder at C:Users\AppDataLocalMicrosoftDiagnostics.
.webp "Beware of Fake Leonardo DiCaprio Movie Torrent File Drops Agent Tesla Malware 3")
Each script has a specific job in the attack chain. The first script extracts content from a fake video file named One Battle After Another.m2ts, which is actually a disguised archive.
The script checks for common extraction tools like WinRAR, 7-Zip, or Bandizip and uses whichever one it finds. Another script creates a scheduled task called RealtekDiagnostics that pretends to be an audio helper program.
.webp "Beware of Fake Leonardo DiCaprio Movie Torrent File Drops Agent Tesla Malware 4")
This ensures the malware runs automatically every time the computer starts or when a user logs in. The task stays hidden and uses normal Windows processes to avoid suspicion.
Meanwhile, other scripts decode hidden data from fake image files named Photo.jpg and Cover.jpg, which actually contain binary data and additional archives protected by simple passwords.
The final stage compiles and runs the Agent Tesla payload directly in memory. This Remote Access Trojan establishes a connection with attacker-controlled servers, turning the infected computer into a zombie device that can be used for stealing credentials, launching more attacks, or deploying additional malware.
The entire operation demonstrates how attackers use multi-stage scripting and fileless execution to bypass security measures and maintain long-term access to victim systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
