- Fake movie torrents generate malware in several stages without the user realizing the execution steps
- AgentTesla steals browser, email, FTP and VPN credentials silently and efficiently
- Malicious PowerShell scripts hide inside subtitles and are extracted when users launch shortcuts
Cybercriminals have circulated a fraudulent torrent that claims to contain “One Battle After Another,” a film released on September 26, 2025 and starring Leonardo DiCaprio.
The torrent appears authentic at first glance as it includes a large movie file along with images, subtitles, and a shortcut presented as a launcher.
The researchers observed thousands of seeders and leeches attached to the file, suggesting a wide distribution rather than an isolated campaign.
How the chain of infection is triggered
The attack begins when the user clicks on a shortcut file disguised as a movie launcher.
This action executes Windows commands that silently extract and execute a malicious PowerShell script hidden within the subtitle file.
Attackers hide the script between specific subtitle lines, blending it into text that appears harmless upon casual inspection.
Once activated, the script extracts multiple AES-encrypted blocks embedded in the same subtitle file, rebuilding several additional PowerShell scripts on the system.
The extracted scripts are written to a diagnostic directory within the user profile and act as a coordinated malware loader.
One stage reuses the movie file as an archive, while another creates a hidden RealtekDiagnostics scheduled task to maintain persistence after reboots.
Additional stages decode hidden binary data within image files, restore them to Windows diagnostic cache locations, and verify that the necessary directories exist.
The final steps check the status of Windows Defender, install the Go runtime, and load the final payload directly into memory.
The malware delivered is AgentTesla, a Windows remote access Trojan active since 2014.
It steals credentials from browsers, email clients, FTP tools and VPN software, while taking screenshots.
Bitdefender notes that similar campaigns linked to other movie titles have spawned different families of malware, proving that the lure remains reusable even when the payload changes.
The attack chain is not based on exploiting software flaws but on user execution, bypassing basic antivirus defenses through layered obfuscation.
Torrent files from anonymous publishers remain a consistent delivery method for credential-stealing malware.
Tools marketed for identity theft protection or malware removal offer limited help once credentials have already been exfiltrated.
This campaign reinforces how entertainment-driven curiosity continues to override basic caution, even as techniques become more complex and difficult to detect.
Through ringing computer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
