Cybersecurity researchers at Bitdefender identified a malware campaign built around a fake torrent claiming to contain Leonardo DiCaprio’s film One Battle After Another. The torrent does not include a video file. It delivers a multi stage infection chain that installs the Agent Tesla remote access trojan on Windows systems.
The campaign relies on timing and visibility. The film is still in cinemas and not widely available through legitimate digital releases. That gap creates a surge in searches for early copies. Attackers exploit this demand by seeding torrents that appear convincing at first glance. Bitdefender observed thousands of downloads before the files were flagged and removed.
Once downloaded, the torrent contents do not behave like a normal movie release. There is no playable media file. Instead, the package contains a collection of scripts and disguised files that initiate execution when opened. The infection process unfolds through a sequence of PowerShell and batch commands that decode and run the malware directly in memory.
Agent Tesla is a long established Windows remote access trojan. Once active, it can harvest browser credentials, saved passwords, email data, keystrokes, and other sensitive information. It also allows attackers to maintain ongoing access to the compromised system. In this campaign, the payload avoids writing a traditional executable to disk, making detection more difficult after execution.
The attack chain is deliberately fragmented. Shortcut files are used to trigger execution while appearing to be part of a movie launcher. Subtitle files are abused to conceal command execution. Encrypted payloads are hidden inside image archives. Persistence is achieved by creating a scheduled task that resembles a legitimate Realtek audio diagnostic process. Each step relies on native Windows functionality rather than custom binaries.
This technique is known as living off the land. Instead of introducing obvious malware files, attackers abuse tools that already exist on the system such as PowerShell, the command shell, and the task scheduler. These tools are widely used by administrators and legitimate software, which allows malicious activity to blend in with normal system behavior.
The structure of the torrent itself is a clear warning sign. Movie torrents typically contain one or more large media files. This package contains none. Instead, it relies on users interacting with auxiliary files that would normally be irrelevant to video playback. The attackers count on assumption and momentum rather than technical sophistication.
Once Agent Tesla is running, the impact extends beyond a single device. Stolen credentials can be reused for email access, financial fraud, or access to other systems. Infected machines may also be repurposed for further malware campaigns.
This case shows how malware distribution has shifted. Attackers follow demand. Popular films, games, and software releases provide reliable cover. On modern Windows systems, malware often arrives as scripts and shortcuts rather than executables. If something claims to be a movie and does not contain a movie, treat it as hostile by default.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What malware was delivered in this campaign
The payload was Agent Tesla, a Windows remote access trojan capable of credential theft and persistent access.
How did the malware execute without an installer
The attack used PowerShell, batch scripts, and Windows shortcuts to execute the payload directly in memory.
Why was a new movie used as bait
New film releases generate high search volume and predictable demand that attackers exploit.
Did the torrent contain any video files
No. The torrent contained scripts, shortcuts, and archives instead of a playable movie.
Can this technique be reused for other content
Yes. The same approach is commonly used with games, software cracks, and other high demand downloads.