A faux torrent for Leonardo DiCaprio’s ‘One Battle After One other’ hides malicious PowerShell malware loaders inside subtitle recordsdata that in the end infect gadgets with the Agent Tesla RAT malware.
The malicious torrent file was found by Bitdefender researchers whereas investigating a spike in detections associated to the film.
One Battle After One other is a extremely rated Paul Thomas Anderson film launched on September 26, 2025, starring Leonardo DiCaprio, Sean Penn, and Benicio del Toro.
Cybercriminals benefiting from curiosity round new motion pictures by importing malicious torrents is not something new, however Bitdefender notes this case stands out for its unusually advanced and stealthy an infection chain.
“It is unimaginable to estimate how many individuals downloaded the recordsdata, however we noticed that the supposed film had hundreds of seeders and leechers,” defined Bitdefender.
Launching malware from subtitles
The downloaded One Battle After One other film torrent used within the assaults incorporates numerous recordsdata, together with a film file (One Battle After One other.m2ts), two picture recordsdata (Picture.jpg, Cowl.jpg), a subtitles file (Part2.subtitles.srt), and a shortcut file (CD.lnk) that seems as a film launcher.
When the CD shortcut is executed, it launches Home windows instructions that extract and run a malicious PowerShell script embedded within the subtitle file between traces 100 and 103.
This PowerShell script will then extract quite a few AES-encrypted information blocks from the subtitles file once more to reconstruct 5 PowerShell scripts which can be dropped to ‘C:Customers<USER>AppDataLocalMicrosoftDiagnostics.’
Supply: BleepingComputer
The extracted PowerShell scripts act as a malware dropper, performing the next actions on the host:
- Stage 1 – Extracts the One Battle After One other.m2ts file as an archive utilizing any accessible extractor.
- Stage 2 – Creates a hidden scheduled activity (RealtekDiagnostics) that runs RealtekCodec.bat
- Stage 3 – Decodes embedded binary information from Picture.jpg and writes restored recordsdata to the Home windows Sound Diagnostics Cache listing.
- Stage 4 – Ensures %LOCALAPPDATApercentPackagesMicrosoft.WindowsSoundDiagnosticsCache exists.
- Stage 5 – Extracts Cowl.jpg contents into the Cache listing, together with batch recordsdata and PowerShell scripts.
The recordsdata extracted within the ultimate stage are used to verify whether or not Home windows Defender is energetic, set up Go, extract the ultimate payload (AgentTesla), and cargo it straight into reminiscence.
AgentTesla is a long-running (since 2014) Home windows RAT and knowledge stealer, generally used to steal browser, e mail, FTP, and VPN credentials, in addition to to seize screenshots.
Whereas Agent Tesla is just not new, it stays extensively used as a consequence of its reliability and ease of deployment.
Bitdefender has famous that in different film titles, for instance, ‘Mission: Not possible – The Ultimate Reckoning,’ it has noticed different households used, akin to Lumma Stealer.
Torrent recordsdata from nameless publishers usually include malware, so it is suggested that customers keep away from pirating new motion pictures solely for security.
Damaged IAM is not simply an IT drawback – the affect ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM seems like, and a easy guidelines for constructing a scalable technique.
