CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Malware sneaked via subtitles file of fake DiCaprio movie torrent

By Leave a Comment
LinkedInReddit

Cybercriminals are exploiting the popularity of Leonardo DiCaprio’s latest film, One Battle After Another, to spread the Agent Tesla Remote Access Trojan (RAT) via a sophisticated, stealthy torrent-based infection chain.

The attack was uncovered by researchers at Bitdefender after a sudden spike in malware detections tied to a torrent masquerading as the new movie. Instead of delivering a video file, the torrent package unfolds into a multi-layered fileless malware attack that ultimately infects victims with Agent Tesla, a powerful info-stealing RAT designed for persistent surveillance and credential theft.

The infection begins when a user downloads a malicious torrent posing as a pirated copy of One Battle After Another. Inside the torrent is a file named CD.lnk, presented as a shortcut to the movie. However, this file is a decoy that triggers a malicious script chain via legitimate Windows tools such as cmd.exe, powershell.exe, and Task Scheduler.

Upon execution, the shortcut file reads specific lines from a seemingly benign subtitle file (Part2.subtitles.srt) that contain hidden batch code. This code then executes PowerShell commands to extract and decrypt additional malicious payloads, which are scattered across other disguised files within the download package, including:

  • One Battle After Another.m2ts (a fake video file that’s actually an archive)
  • Photo.jpg (contains encoded binary data)
  • Cover.jpg (a password-protected archive with further scripts)

These components are designed to unpack in memory, create persistence through scheduled tasks, and avoid detection by never writing the core malware binary to disk.

While attribution remains unclear, the attack appears to be opportunistic, targeting novice users who are unaware of the risks of torrenting and unlikely to scrutinize file contents. The final payload is Agent Tesla, a widely abused RAT known for keylogging, clipboard monitoring, screen capturing, and credential harvesting.

Persistence is achieved by creating a scheduled task named RealtekDiagnostics that masquerades as an audio helper tool. This task launches a chain of scripts culminating in the compilation and execution of a Go-based loader for Agent Tesla.

Users should avoid downloading pirated content, scan downloaded files with an up-to-date antivirus, and monitor scheduled tasks for suspicious rogue entries, such as ‘RealtekDiagnostics.’

If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.

LinkedInReddit

More from CyberInsider

About Amar Ćemanović

Amar Ćemanović is an experienced editor and trained engineer with a keen eye for detail and a passion for technology. 
Based in Bosnia, Amar specializes in producing high-quality, engaging content. He holds a Master’s degree in engineering, which helps him maintain a meticulous approach to all editorial work. Amar brings a well-rounded knowledge base, covering everything from tech solutions to privacy tools.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Share to...
BlueskyBufferCopyFlipboardHacker NewsLineLinkedInMastodonMessengerMixNextdoorPinterestPrintRedditSMSTelegramThreadsTumblrVKWhatsAppXingYummly