Subtitles of Deceit: How a Blockbuster Movie Torrent Became a Cybercrime Trap

The allure of a free blockbuster can be hard to resist, but for thousands of would-be viewers, downloading a pirated copy of “One Battle After Another” may have led to an unexpected - and invisible - battle with cybercriminals. In a sophisticated operation uncovered by Bitdefender researchers, hackers embedded malicious code within a subtitle file, launching a multi-stage attack that ultimately delivers the notorious Agent Tesla remote access trojan (RAT) to victims’ computers. This is not your typical movie night gone wrong; it’s a cautionary tale about how modern malware is hiding in plain sight.

Piracy’s New Weapon: Subtle, Stealthy, and Sophisticated

While pirated movie torrents have long been a playground for malware, this latest campaign stands out for its technical ingenuity. The “One Battle After Another” torrent, released shortly after the film’s premiere, appeared legitimate with a movie file, images, and subtitles. But lurking in the subtitle file - between seemingly innocuous lines - was an embedded PowerShell script.

When users clicked the provided shortcut (CD.lnk) to launch the movie, they unwittingly set off a chain reaction. The shortcut executed a Windows command that pulled the malicious script from the subtitle file. This script then extracted several encrypted payloads, reconstructing five separate PowerShell scripts, each dropped to a hidden diagnostics folder. The infection chain was meticulous: it unpacked files, set up a scheduled task to maintain persistence, and decoded further data embedded inside the included image files. The final payload - Agent Tesla - was injected directly into the computer’s memory, making it harder to detect and remove.

Agent Tesla, a veteran in the world of information-stealing malware, is designed to harvest browser, email, FTP, and VPN credentials, and can even capture screenshots. Its continued popularity among cybercriminals is a testament to its reliability and effectiveness. Bitdefender’s findings suggest the technique is spreading, with variations observed in torrents for other high-profile films.

This operation’s complexity highlights how cybercriminals are evolving, leveraging social engineering and technical camouflage to maximize infections. The use of subtitle files - a format most users trust - demonstrates a willingness to exploit every conceivable vector.

Conclusion: The Real Price of Piracy

For movie fans, the temptation of a free, early release comes with hidden costs. As cybercriminals up their game, even something as harmless as a subtitle file can become a weapon. The best defense? Avoid pirated content, keep your systems updated, and remember: in today’s threat landscape, every download is a potential roll of the dice.

WIKICROOK Glossary

PowerShell

A powerful command-line shell and scripting language for Windows, often abused by attackers to automate tasks or run malicious code.

Agent Tesla

A well-known remote access trojan (RAT) and info-stealer targeting Windows systems, active since 2014.

RAT (Remote Access Trojan)

Malware that enables attackers to remotely control an infected computer, often used for spying or stealing data.

Seeders/Leechers

Terms used in file-sharing to indicate users uploading (seeders) or downloading (leechers) a file in a peer-to-peer network.

Scheduled Task

A Windows feature that allows programs or scripts to run automatically at specified times or events - commonly abused for persistence by malware.