Image generated by Google’s Nano Banana
A fake Leonardo DiCaprio movie torrent is spreading Agent Tesla malware through trusted Windows tools
Cybercriminals are exploiting demand for pirated movies by disguising malware as a fake torrent of “One Battle After Another,” a new Leonardo DiCaprio film, tricking Windows users into infecting their own systems.
What appears to be an early-access movie download is actually a carefully staged attack chain that installs Agent Tesla, a powerful remote access trojan.
The malware “… can be used to steal passwords, financial data, and browser information while giving criminals full control over the infected PC,” Bitdefender researchers wrote.
This campaign highlights how popular entertainment releases remain an effective lure for malware distribution, especially when content is still in theaters or unavailable on mainstream streaming platforms.
Anyone searching for early access — including users who don’t typically pirate media — can be affected, and infected personal devices may later become entry points into corporate networks.
Bitdefender reported that the campaign has already reached thousands of users, underscoring how quickly demand-driven lures can scale malware operations.
The campaign does not exploit a software vulnerability but instead abuses user trust and familiar torrent behaviors to deliver Agent Tesla.
Rather than containing a video file, the torrent packages a staged infection chain that begins when users launch a malicious Windows shortcut disguised as a movie file. That action triggers hidden batch commands embedded in subtitle files, which in turn execute multiple layers of PowerShell to unpack and run the payload.
The attackers conceal AES-encrypted components inside image archives and establish persistence through a fake Realtek audio diagnostic task, allowing the final Agent Tesla payload to run entirely in memory.
By relying on built-in Windows tools such as PowerShell, Command Prompt, and Task Scheduler, the malware blends into regular system activity and evades many file-based security controls. This approach highlights a broader shift toward social engineering and living-off-the-land techniques, in which fully patched systems can still be compromised if users are tricked into executing malicious content.
Even without exploiting a CVE, the attack enables credential theft, remote access, and long-term persistence, demonstrating how trust-based delivery mechanisms remain a powerful vector for modern malware campaigns.
Malware campaigns delivered through fake media downloads continue to evolve, relying less on exploits and more on user behavior and trusted system tools.
Defending against these threats requires going beyond basic antivirus protections and focusing on how malware is delivered, executed, and sustained.
Taken together, these controls lower exposure to fileless threats while keeping security manageable.
This campaign highlights a broader shift in malware distribution, where attackers favor high-demand lures and trusted system tools over traditional exploit-heavy techniques.
Popular movies, games, and software releases create reliable opportunities to reach large audiences, while fileless execution helps malware evade detection and persist longer.
As long as interest in pirated content remains strong, attackers are likely to keep refining these low-effort, high-reach delivery methods.
Editor’s note: This article first appeared on our sister publication, eSecurityPlanet.com.
Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.
