Cybercriminals are exploiting the excitement around Leonardo DiCaprio’s latest film, One Battle After Another, to spread the infamous Agent Tesla Remote Access Trojan (RAT).
Bitdefender researchers uncovered a sophisticated campaign in which a fake movie torrent serves as a cover for a multi-stage, fileless malware infection chain.
The threat exploits the film’s popularity to lure unsuspecting users who seek to download early copies from torrent sites.
When users open the downloaded torrent, they find a shortcut file named CD.lnk that appears to launch the movie.
Instead, it triggers a hidden PowerShell command that extracts specific lines from the subtitle file Part2.subtitles.srt, where malicious code is hidden among the standard subtitle text.
These extracted lines execute batch commands that begin the multi-stage infection process. The attack chain uses only built-in Windows tools, such as CMD, PowerShell, and Task Scheduler, allowing it to operate almost invisibly to antivirus scans.
The malware stores several decrypted PowerShell scripts inside the user’s local diagnostics folder. These scripts extract content from a fake video file named One Battle After Another.m2ts, which is actually a compressed archive.
Another file, disguised as a harmless image called Photo.jpg, conceals encoded binary data that is decoded and written to the Windows Sound Diagnostics cache directory.
To maintain persistence, the attack creates a scheduled task named “ RealtekDiagnostics,” disguised as “Audio Helper.” This task runs automatically on system startup or user logon, launching additional payloads that keep the malware active without the user’s awareness.
Multiple Stages and Fileless Payload Delivery
Additional stages include the unpacking of another fake image file, Cover.jpg, which contains encrypted archives and script files.
These files include Realtek-themed batch and PowerShell scripts, such as RealtekDriverInstall.ps1 and RealtekCodec.bat, which are designed to appear legitimate.
Once executed, these scripts check for Windows Defender, attempt to install Go components, compile a binary named RealtekAudioService, and establish the final payload stage in memory.
The entire process culminates in the deployment of Agent Tesla, a memory-resident Remote Access Trojan.
It runs exclusively in memory, avoiding traditional detection methods while initiating command-and-control communication to grant attackers full access to the victim’s machine.
From there, criminals can capture keystrokes, steal credentials, and exfiltrate sensitive data for further exploitation.
Bitdefender’s investigation reveals how attackers increasingly use living-off-the-land (LOTL) techniques and advanced PowerShell scripting to evade detection.
With thousands of users reportedly seeding and downloading the fake torrent, experts warn that this campaign highlights how easily users can be compromised through counterfeit movie torrents that mask highly sophisticated malware operations.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
