Fake Leonardo DiCaprio torrent spreads Agent Tesla trojan

Cybersecurity firm Bitdefender has reported a surge in malicious torrents that impersonate Leonardo DiCaprio’s new film, One Battle After Another, and install the Agent Tesla remote access trojan on Windows computers.

Bitdefender researchers began an investigation after they saw a spike in detections linked to what appeared to be a torrent of the film. The team found a multi-stage infection chain that ends with full remote control of the victim’s device.

The film has gained wide attention since its release. Cybercriminals are using that interest as a lure for people searching for pirated copies on torrent and file-sharing sites.

Many users search online for new cinema releases or pay-per-view titles in the hope of finding free copies. Security specialists say that entertainment-related downloads often lower users’ guard on security risks.

In this case, users expect a video file when they download the torrent bundle. The package instead contains a mix of PowerShell scripts and image archives.

These components assemble into a memory-resident command-and-control agent known as Agent Tesla. The malware runs on the infected machine without writing a traditional executable file to disk.

Agent Tesla is a remote access trojan. It gives attackers broad control over the victim’s Windows system.

Once installed, the malware allows criminals to access the computer remotely. They can steal financial data and personal information from the device.

Attackers can also use the compromised machine as a launch point for further attacks. The infected computer can act as part of a wider network of controlled systems.

Bitdefender notes that the practice of hiding malware inside torrents and fake multimedia files has existed for years. The firm says activity using this method has increased over the past year.

The company highlights a recent example involving another blockbuster franchise. Attackers used a fake copy of Mission: Impossible – The Final Reckoning to distribute the Lumma Stealer information-stealing malware.

Lumma Stealer focuses on data that can support account takeover and fraud. It seeks passwords, browser cookies, cryptocurrency wallets, and login data from remote desktop tools.

Bitdefender says Agent Tesla itself is not a new threat. Criminal groups have used it for several years in phishing campaigns and schemes linked to events such as COVID-19 vaccination registration.

The novelty in the latest campaign lies in the way attackers deploy the malware. Bitdefender reports a chain that uses consecutive attack methods and legitimate Windows tools.

The researchers say this specific method appears in this torrent only. They have not yet seen the same pattern in other torrents.

The execution of the payload takes place entirely in memory. This approach reduces traces on disk and makes detection harder for some security products.

The infection process uses multiple layers of scripting and encryption. The design also uses obfuscation techniques that conceal the true nature of the code.

The malware achieves persistence through the use of built-in Windows utilities. The chain includes PowerShell, command-line functions, and Task Scheduler.

Bitdefender states that the overall aim is to convert the victim’s PC into a so-called zombie agent. Attackers can then use the machine in later campaigns or for further malware deployment.

The company believes the torrent targets relatively inexperienced users. These are people who may not often download pirated content and may have limited awareness of the risks.

Layered infection

The infection begins when a user downloads a torrent that claims to contain the One Battle After Another film. The contents of the download differ from what the user expects.

Inside the archive, the user sees a shortcut file named CD.lnk. The file appears to launch the film.

When the user clicks the shortcut, it triggers a concealed command sequence. The process activates malicious scripts that reside inside a subtitle file named Part2.subtitles.srt.

The attack chain then calls several native Windows tools. These include CMD, PowerShell, and Task Scheduler.

Each tool unpacks and executes another layer of encrypted data. The process eventually reconstructs and runs the Agent Tesla trojan in memory.

Bitdefender says its technical analysis reconstructs every phase of the attack. The report describes how each component interacts with others in the chain.

Researchers estimate that many users may have downloaded the fake torrent. The listing showed thousands of seeders and leechers on the monitored service.

The firm says its own security products blocked the threat at an early stage in the chain. Other users without up-to-date security software may remain vulnerable.

Bitdefender links the incident to a broader rise in malicious torrents. The company says the number of infected torrent files that advertise new films and TV shows has risen sharply over the past two years.

“The trend of embedding malware in torrents and fake multimedia files that pretend to offer movies and TV shows is not new, but it has gained a lot of steam in the last year or so. For example, Mission: Impossible – The Final Reckoning was used to spread the Lumma Stealer, which targets passwords, cookies, crypto wallets, credentials from remote desktop tools, and more,” said the report.

Bitdefender expects further growth in this type of attack. The firm says the problem will likely worsen until users recognise that multimedia files can conceal cyber threats.