- Fake movie torrents deliver malware in multiple stages without the user noticing the execution steps
- AgentTesla steals browser, email, FTP and VPN credentials silently and efficiently
- Malicious PowerShell scripts hide in subtitles, extracted when users launch shortcuts
Cybercriminals have circulated a fraudulent torrent claiming to contain “One Battle After Another”, a film released on September 26, 2025, starring Leonardo DiCaprio.
The torrent appears authentic at first glance, bundling a large movie file along with images, subtitles, and a shortcut presented as a launcher.
Researchers observed thousands of seeders and leeches attached to the file, suggesting a wide distribution rather than an isolated campaign.
How the chain of infection is triggered
The attack begins when the user clicks on a shortcut file disguised as a movie launcher.
This action executes Windows commands that silently extract and execute a malicious PowerShell script hidden in the subtitle file.
Attackers hide the script between specific subtitle lines, blending it into text that appears innocuous upon casual inspection.
Once enabled, the script extracts multiple AES encrypted blocks embedded in the same subtitle file, rebuilding multiple additional PowerShell scripts on the system.
The extracted scripts write themselves to a diagnostics directory within the user profile and act as a coordinated malware loader.
One step reuses the video file as an archive, while another creates a hidden RealtekDiagnostics scheduled task to maintain persistence across reboots.
Additional steps decode binary data hidden in image files, restore them to Windows diagnostic cache locations, and verify that the required directories exist.
The final steps check Windows Defender status, install the Go runtime, and load the final payload directly into memory.
The delivered malware is AgentTesla, a Windows remote access Trojan active since 2014.
It steals credentials from browsers, email clients, FTP tools and VPN software, while capturing screenshots.
Bitdefender notes that similar campaigns related to other movie titles have generated different malware families, showing that the lure remains reusable even when the payload changes.
The attack chain does not rely on exploiting software vulnerabilities but on user execution, bypassing basic antivirus defenses through layered obfuscation.
Torrent files from anonymous publishers remain a consistent delivery method for credential-stealing malware.
Tools marketed for identity theft protection or malware removal offer limited help once credentials have already been exfiltrated.
This campaign reinforces how entertainment-driven curiosity continues to trump basic caution, even as techniques become more complex and difficult to spot.
Via Computer beeping
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
