SYDNEY, 11 December 2025 – After noticing a spike in detections involving what looked like a movie torrent for One Battle After Another, Bitdefender researchers started an investigation and discovered that it was a complex infection chain.
The film, Leonardo DiCaprio’s latest, has quickly gained notoriety, making it an attractive lure for cybercriminals seeking to infect as many devices as possible.
People often search for the latest movies on the internet, hoping to find a copy of a new release that has just begun its theatre run or is only available via pay-per-view streaming. And since users are looking for entertainment, the possibility of infection from downloading a film might not cross their minds.
However, what seems like a simple download can quickly turn into something far more dangerous. Instead of the expected video file, users unknowingly download a compilation of PowerShell scripts and image archives that build into a memory-resident command-and-control (C2) agent, also known as a trojan (RAT – Remote Access Trojan) under the name of Agent Tesla.
This type of malware is designed with a single purpose: to provide attackers with unfettered access to the victim’s Windows computer. Once they have a foothold, criminals can access the computer remotely and steal financial and personal information or use the device to launch additional attacks.
The trend of embedding malware in torrents and fake multimedia files that pretend to offer movies and TV shows is not new, but it has gained a lot of steam in the last year or so.
For example, Mission: Impossible – The Final Reckoning was used to spread the Lumma Stealer, which targets passwords, cookies, crypto wallets, credentials from remote desktop tools, and more.
The Agent Tesla malware in this fake movie release has been used for years in many campaigns, including email phishing and COVID-19 vaccination registration.
This investigation documents every layer of this new attack and shows how the components work together to support its efforts to evade detection.
Key findings
- The notoriety of Leonardo DiCaprio’s new film, One Battle After Another, is being used to deploy malware on the Windows machines of unsuspecting users.
- The Agent Tesla RAT itself is not novel, but the deployment of consecutive attack methods leveraging PowerShell and other LOTL (Living Off the Land) tools is highly interesting.
- According to our insights, this particular type of attack has been used only in this torrent download.
- Payload execution is done entirely in memory.
- The attack demonstrates the use of multi-stage scripting, advanced obfuscation techniques, and fileless execution to evade detection and become persistent.
- The goal is to transform the Windows PC into a zombie agent, ready to be used at any time by attackers in other campaigns or to deploy malware further.
- The attack is directed at novices who don’t often download pirated content or understand the dangers of torrents.
Context
The infection begins when a user downloads a torrent that appears to contain the One Battle After Another film. Inside the downloaded content, the user will find a shortcut file simply named CD.lnk that indicates it is there to launch the movie.
Clicking on that file, however, triggers a hidden command chain that executes a series of malicious scripts buried inside the subtitle file Part2.subtitles.srt.
The attacker uses several legitimate Windows utilities (CMD, PowerShell, and Task Scheduler) to unpack multiple layers of encrypted data.
Conclusion
It’s impossible to estimate how many people downloaded the files, but we saw that the supposed movie had thousands of seeders and leechers. Whoever had any Bitdefender security solution would have been protected from the start.
In the past couple of years, the number of infected torrent files promising to offer the latest TV shows and movies has skyrocketed. It’s becoming abundantly clear that attackers have discovered a viable attack vector.
These problems are only going to increase – at least until users realise that threats can hide in multimedia files.
##
About Bitdefender
Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumers, enterprises, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioural analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognised technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world. For more information, visit https://www.bitdefender.com.
PR Archives: Latest, By Company, By Date