A fake torrent for Leonardo DiCaprio’s 'One Battle After Another' hides malicious PowerShell malware loaders inside subtitle files that ultimately infect devices with the Agent Tesla RAT malware.
The malicious torrent file was discovered by Bitdefender researchers while investigating a spike in detections related to the movie.
One Battle After Another is a highly rated Paul Thomas Anderson movie released on September 26, 2025, starring Leonardo DiCaprio, Sean Penn, and Benicio del Toro.
Cybercriminals taking advantage of interest around new movies by uploading malicious torrents isn't anything new, but Bitdefender notes this case stands out for its unusually complex and stealthy infection chain.
"It's impossible to estimate how many people downloaded the files, but we saw that the supposed movie had thousands of seeders and leechers," explained Bitdefender.
Launching malware from subtitles
The downloaded One Battle After Another movie torrent used in the attacks contains various files, including a movie file (One Battle After Another.m2ts), two image files (Photo.jpg, Cover.jpg), a subtitles file (Part2.subtitles.srt), and a shortcut file (CD.lnk) that appears as a movie launcher.
When the CD shortcut is executed, it launches Windows commands that extract and run a malicious PowerShell script embedded in the subtitle file between lines 100 and 103.
Malicious PowerShell script hidden in subtitles
This PowerShell script will then extract numerous AES-encrypted data blocks from the subtitles file again to reconstruct five PowerShell scripts that are dropped to 'C:\Users\
... continue reading