- Fake movie torrents deliver multi-stage malware without the user noticing execution steps
- AgentTesla steals browser, email, FTP, and VPN credentials silently and efficiently
- Malicious PowerShell scripts hide inside subtitles, extracted when users launch shortcuts
Cybercriminals have circulated a fraudulent torrent claiming to contain “One Battle After Another”, a film released on September 26, 2025, starring Leonardo DiCaprio.
The torrent appears authentic at first glance, bundling a large movie file alongside images, subtitles, and a shortcut presented as a launcher.
Researchers observed thousands of seeders and leechers attached to the file, suggesting wide distribution rather than an isolated campaign.
How the infection chain is triggered
The attack begins when the user clicks a shortcut file disguised as a movie launcher.
This action executes Windows commands that silently extract and run a malicious PowerShell script hidden inside the subtitle file.
Attackers conceal the script between specific subtitle lines, blending it into text that appears harmless during casual inspection.
Once activated, the script extracts multiple AES-encrypted blocks embedded in the same subtitle file, reconstructing several additional PowerShell scripts on the system.
The extracted scripts write themselves to a diagnostics directory within the user profile and act as a coordinated malware loader.
One stage repurposes the movie file as an archive, while another creates a hidden RealtekDiagnostics scheduled task to maintain persistence after reboots.
Additional stages decode binary data hidden inside image files, restore it into Windows diagnostic cache locations, and verify that required directories exist.
The final steps check Windows Defender status, install the Go runtime, and load the final payload directly into memory.
The delivered malware is AgentTesla, a Windows remote access trojan active since 2014.
It steals credentials from browsers, email clients, FTP tools, and VPN software, while also capturing screenshots.
Bitdefender notes that similar campaigns tied to other movie titles have delivered different malware families, showing that the lure remains reusable even when the payload changes.
The attack chain does not rely on exploiting software flaws but on user execution, bypassing basic antivirus defenses through layered obfuscation.
Torrent files from anonymous publishers remain a consistent delivery method for credential-stealing malware.
Tools marketed for identity theft protection or malware removal offer limited help once credentials are already exfiltrated.
This campaign reinforces how entertainment-driven curiosity continues to override basic caution, even as techniques become more complex and difficult to spot.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.