DiCaprio Movie Torrent Lures Users: Agent Tesla Deployed via Malicious LNK and Subtitle File Code Hiding
Ddos 
Cybersecurity researchers have uncovered a new, sophisticated malware campaign targeting movie pirates with a lure they can’t resist: a fake torrent for a new Leonardo DiCaprio film titled One Battle After Another. A report from Bitdefender details how this campaign uses a clever chain of scripts and legitimate Windows tools to silently deploy the notorious Agent Tesla Remote Access Trojan (RAT).
The attack targets unsuspecting users looking for free entertainment. “The notoriety of Leonardo DiCaprio’s new film, One Battle After Another, is being used to deploy malware on the Windows machines of unsuspecting users” .
The infection vector is a torrent file. Instead of a video file, the downloaded folder contains a shortcut named CD.lnk that masquerades as the movie launcher. “Clicking on that file, however, triggers a hidden command chain that executes a series of malicious scripts buried inside the subtitle file Part2.subtitles.srt” .
This technique of hiding code within a subtitle file allows the attackers to bypass initial scrutiny, exploiting the user’s expectation of finding media files in a movie folder.
The campaign is notable for its complexity and stealth. Rather than dropping a simple executable, the malware constructs itself on the victim’s machine using a technique known as “Living Off the Land” (LOTL).
The attack leverages standard Windows utilities like CMD, PowerShell, and Task Scheduler to unpack its payload layer by layer. “The Agent Tesla RAT itself is not novel, but the deployment of consecutive attack methods leveraging PowerShell and other LOTL (Living Off the Land) tools is highly interesting” .
In a bizarre twist, one stage of the infection even involves setting up a development environment on the victim’s PC. A script named RealtekDriverInstall.ps1 checks for Windows Defender and then “attempts to install the Go programming language” to compile a malicious component named RealtekAudioService.
The ultimate goal of this elaborate setup is persistence and control. The final payload, Agent Tesla, is executed directly in memory without ever touching the disk as a complete file, a method designed to evade antivirus detection.
“Payload execution is done entirely in memory,” the report notes, highlighting the advanced obfuscation used to keep the malware hidden.
Once active, the malware connects to a Command and Control (C2) server, effectively enslaving the device. “The goal is to transform the Windows PC into a zombie agent, ready to be used at any time by attackers in other campaigns or to deploy malware further”.
This campaign specifically preys on casual internet users who may not be tech-savvy enough to spot the red flags of a malicious torrent. “The attack is directed at novices who don’t often download pirated content or understand the dangers of torrents” .
Researchers warn that while the lure is specific, the techniques demonstrate a dangerous evolution in how commodity malware like Agent Tesla is being delivered.
Donate