- Fake movie torrents deliver malware in multiple steps without the user noticing the execution steps
- AgentTesla steals browser, email, FTP and VPN credentials silently and efficiently
- Malicious PowerShell scripts hide inside subtitles, extracted when users launch shortcuts
Cybercriminals have circulated a fraudulent torrent claiming to contain “One Battle After Another,” a movie released on September 26, 2025 starring Leonardo DiCaprio.
The torrent seems authentic at first glance, bundling a large movie file together with images, subtitles and a shortcut presented as a launcher.
Researchers observed thousands of seeders and leechers linked to the file, suggesting widespread distribution rather than an isolated campaign.
How the chain of infection is triggered
The attack begins when the user clicks on a shortcut file disguised as a movie launcher.
This action executes Windows commands that silently extract and run a malicious PowerShell script hidden inside the subtitle file.
Attackers hide the script between specific subtext lines and mix it into text that appears innocuous under casual inspection.
When enabled, the script extracts multiple AES-encrypted blocks embedded in the same subtitle file and reconstructs several additional PowerShell scripts on the system.
The extracted scripts write themselves to a diagnostics folder in the user profile and act as a coordinated malware loader.
One step reuses the movie file as an archive, while another creates a hidden RealtekDiagnostics scheduled task to maintain persistence after reboot.
Additional steps decode binary data hidden in image files, restore them in Windows diagnostic cache locations, and verify that the necessary folders exist.
The final steps check Windows Defender status, install the Go runtime, and load the final payload directly into memory.
The malware delivered is AgentTesla, a remote access Windows Trojan that has been active since 2014.
It steals credentials from browsers, email clients, FTP tools and VPN software while also taking screenshots.
Bitdefender notes that similar campaigns attached to other movie titles have delivered different malware families, showing that the decoy remains reusable even when the payload changes.
The attack chain does not rely on exploiting software bugs, but on user execution that bypasses basic antivirus defenses through layered obfuscation.
Torrent files from anonymous publishers remain a consistent delivery method for credential-stealing malware.
Tools marketed for identity theft protection or malware removal offer limited help once credentials have already been exfiltrated.
This campaign reinforces how entertainment-driven curiosity continues to override basic caution, even as techniques become more complex and difficult to spot.
Via Bleeding computer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
