A fake torrent with a movie hides dangerous malware in the subtitles. "It will only get worse!"

Cybercriminals have found a new way to infect Windows computers. A fake copy of the film One Battle After Another featuring Leonardo DiCaprio, distributed in torrent networks, contains malware hidden in… a subtitle file. Experts warn that this is just the beginning of a new wave of attacks. The threat was detected by BitDefender, which points out the increasingly sophisticated methods of malware distribution that exploit users' trust in popular film titles. After installing the malware, attackers gain full, remote access to the victim's computer.

“This type of malware is designed with one goal – to provide cybercriminals with unrestricted access to the Windows system. Once they take control, they can steal financial and personal data or use the computer for further attacks” – warns BitDefender.

Malware hidden in subtitles

There is nothing new in the attack – it uses the well-known malware Agent Tesla. However, the novelty is in its distribution method. The malware is spread through torrents containing a fake version of the film One Battle After Another – and according to BitDefender, possibly other popular titles as well. Importantly, many users do not notice that the film does not actually start at all, as the infection occurs earlier.

BitDefender estimates that several thousand people have already fallen for this trick. The torrent package contains a shortcut file named CD.lnk, which suggests running the film. In reality, opening it initiates a chain of scripts that exploit legitimate Windows processes.

A key element of the attack is hidden in the subtitle file – specifically in line 5005. That is where the PowerShell command is located, which begins the malware installation. The rest of the subtitle file looks completely normal, significantly complicating the detection of the threat. BitDefender has published a detailed description of the entire mechanism on its blog.

This is just the beginning

This is not the first case of using fake torrents to infect computers.

“Previously, the film Mission: Impossible – The Final Reckoning was used to distribute the Lumma Stealer malware, which steals passwords, cookies, cryptocurrency wallet data, and Remote Desktop Tool credentials” – reminds BitDefender.

Experts have no doubt that the situation will worsen.

“In recent years, the number of infected torrents promising the latest films and series has skyrocketed. Attackers have clearly discovered an effective attack vector, and Agent Tesla is becoming one of their favourite tools” – summarises the company.