Cybersecurity researchers at Bitdefender have published findings on a torrent file for the new Leonardo DiCaprio film, One Battle After Another. What seemed like a simple, free movie download turned out to be a hidden, multi-step cyberattack designed to infect unsuspecting Windows users.
Bitdefender researchers first noticed a sudden rise in detections related to this fake movie torrent. As they investigated further, they identified a highly complex infection process that used common Windows programs to evade security protections, a technique known as Living Off the Land (LOTL).
This method is used to blend in with normal system activity. It is worth noting that using fake multimedia files to spread viruses is not new; researchers had earlier reported a similar tactic used for the movie Mission: Impossible – The Final Reckoning to spread Lumma Stealer.
A Hidden Threat in Subtitles
Bitdefender’s research, shared with Hackread.com ahead of its publishing today, revealed that when a user downloads the movie torrent and clicks on a shortcut file named CD.lnk to start the film, they unknowingly set off a hidden chain of commands.
According to researchers, this specific attack seems to be aimed at less experienced users who are unfamiliar with torrent risks or who rarely download unauthorised content or content through torrents.
The attack proceeds through a subtitle file named Part2.subtitles.srt. While the file contains real subtitles, a few specific lines hold malicious code that launches multiple PowerShell scripts.
These scripts then extract and run even more hidden programs from other movie files, like a large video file called One Battle After Another.m2ts and a fake image file named Cover.jpg. This entire process is highly layered and runs the final virus entirely in the computer’s memory, which is a technique that makes it harder for security software to spot.
The Agent Tesla Payload
The ultimate goal of this elaborate scheme is to install Agent Tesla malware. This is a Remote Access Trojan (RAT) that gives attackers full, remote control over the victim’s computer.
Once installed, the attackers can steal personal and financial data, or turn the infected Windows PC into what researchers call a “zombie agent,” ready to be used in future attacks. Agent Tesla has been around since 2014 and has been used in various past campaigns, including phishing emails related to COVID-19.
Bad news is that the fake movie torrent was noted to have “thousands of seeders and leechers,” suggesting a large number of people were exposed to this risk. This finding shows that threats can easily hide in files promising free entertainment online.