Bitdefender researchers have uncovered a sophisticated malware campaign using a fake torrent of Leonardo DiCaprio’s new film, One Battle After Another, to deploy the Agent Tesla remote access trojan through a multi-layered PowerShell infection chain. The torrent, which appeared legitimate and showed thousands of seeders and leechers, was used as bait to compromise Windows systems and steal sensitive information.
The investigation began after Bitdefender detected a spike in activity associated with the fake movie file. Threat actors increasingly exploit new film releases as lures, relying on users who seek pirated content without considering the risks. Instead of a video file, victims downloaded a set of obfuscated scripts and image archives designed to assemble and execute Agent Tesla entirely in memory, leaving minimal forensic traces.
Once installed, Agent Tesla allows attackers to remotely access the victim’s computer, harvest financial and personal data, retrieve stored credentials and use the compromised machine to launch further attacks. While Agent Tesla itself is a long-running malware family known from phishing and COVID-19-themed campaigns, Bitdefender notes that the deployment techniques used in this case are unusually complex.
The fake torrent conceals a malicious shortcut file, CD.lnk, which users believe launches the film. Instead, it triggers a hidden command sequence that extracts and runs malicious content embedded within what appears to be a subtitle file. The infection chain relies heavily on legitimate Windows tools such as PowerShell, CMD and Task Scheduler in a living-off-the-land approach designed to evade traditional security detection. Execution is fully fileless, with payloads decrypted and staged exclusively in memory.
Bitdefender’s analysis highlights several notable characteristics:
- The campaign exploits the popularity of a high-profile new film to increase infection rates.
- The attack relies on sequential PowerShell stages, encryption and obfuscation to evade detection.
- The malware operates entirely in memory, leaving no persistent file artefacts.
- The objective is to turn infected machines into remotely controlled “zombie” agents for future campaigns.
- The campaign appears targeted at inexperienced users who may not fully understand the risks of torrent downloads.
The company also referenced a wider trend: attackers increasingly embed malware in fake torrents for new movies and TV releases. Recent examples include the use of a fake Mission: Impossible – The Final Reckoning torrent to spread the Lumma Stealer information-stealing malware.
While the number of victims from this campaign is unknown, the torrent’s popularity suggests significant potential impact. Bitdefender confirms that its security solutions blocked the threat from the outset.
The findings reinforce the ongoing risks posed by pirated content and the growing sophistication of malware campaigns hiding inside seemingly harmless multimedia files. Attackers are expected to continue exploiting this vector until user behaviour changes and awareness improves.
