A fake torrent with a movie hides dangerous malware in the subtitles. "It will only get worse!"

Cybercriminals have found a new way to infect Windows computers. A fake copy of the movie One Battle After Another featuring Leonardo DiCaprio, distributed in torrent networks, contains malware hidden in… a subtitle file. Experts warn that this is just the beginning of a new wave of attacks. The threat was detected by BitDefender, which points out the increasingly sophisticated methods of distributing malware that exploit users' trust in popular film titles. Once the malware is installed, attackers gain full remote access to the victim's computer.

“This type of malware is designed with one goal – to provide cybercriminals unrestricted access to the Windows system. Once they take control, they can steal financial and personal data or use the computer for further attacks” – warns BitDefender.

Malware Hidden in Subtitles

There is nothing new in the attack itself – it utilized the well-known malware Agent Tesla. However, the novelty lies in the method of its distribution. The malware is spread through torrents containing a fake version of the movie One Battle After Another – and according to BitDefender, possibly other popular titles as well. Notably, many users do not realize that the movie itself does not even launch because the infection occurs earlier.

BitDefender estimates that several thousand people have already fallen for this trick. The torrent package contains a shortcut file named CD.lnk, which suggests launching the movie. In reality, opening it initiates a chain of scripts that exploit legitimate Windows processes.

The key element of the attack is hidden in the subtitle file – specifically in line 5005. It is there that a PowerShell command exists, which starts the installation of the malware. The rest of the subtitle file looks completely normal, significantly complicating the detection of the threat. BitDefender published a detailed description of the entire mechanism on its blog.

This is just the beginning

This is not the first case of using fake torrents to infect computers.

“Earlier, the film Mission: Impossible – The Final Reckoning was used to distribute the Lumma Stealer malware, which steals passwords, cookies, cryptocurrency wallet data, as well as credentials for remote desktop tools” – reminds BitDefender.

Experts have no doubt that the situation will worsen.

“Over the last few years, the number of infected torrents promising the latest movies and series has surged dramatically. Attackers have clearly discovered an effective attack vector, and Agent Tesla is becoming one of their favorite tools” – summarizes the company.