Fake torrent for "One Battle After Another" delivers trojan through subtitles

Another sophisticated malware delivery method

• Facebook
• Twitter
• WhatsApp
• Reddit
• Comments

Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust.

In brief: Pirate downloads of popular media are an attractive attack vector for hackers, and the latest example demonstrates their increasingly creative tactics. While experienced users will likely detect this scam easily, it serves as a textbook example of the risks associated with torrenting the latest movies.

Bitdefender recently discovered a fraudulent torrent for the film One Battle After Another that contains an ingenious Trojan delivery mechanism. The security company claims its tools defended users against the malware from the start, but those unaccustomed to torrenting should exercise caution.

Instead of downloading the critically acclaimed film, the torrent delivers an archive disguised as an M2TS video file, a subtitle file, and a file called "CD.link," labeled as a shortcut to launch the movie. Clicking the shortcut launches the malicious payload from the M2TS, which is actually an archive .

The attack exemplifies why users should avoid unfamiliar files from torrents. Anyone downloading a film or TV show should, ideally, only click on the video file. Furthermore, intermediaries such as seedboxes and debrid services provide an extra layer of security by shielding personal devices from direct exposure to risky torrents and anyone snooping on torrent traffic.

Interestingly, the fraudulent payload's subtitle file contains the film's real subtitles, but certain lines hide malicious code. Moreover, detecting the process is tricky. It employs living-off-the-land tactics to unpack encrypted data with legitimate Windows tools, including CMD, PowerShell, and Task Scheduler. After executing multiple steps entirely within memory, the malware seizes control of the target device, which can become a vector for subsequent hacking campaigns.

Hiding malware in torrents of popular films is not new. In May, attackers hid Lumma Stealer in fake torrent files for Mission: Impossible – The Final Reckoning to steal passwords, cookies, and other credentials. However, the attack involving One Battle After Another has only been discovered in one torrent download. It remains unclear how widespread the malware is, but the package has probably racked up thousands of downloads.

Hackers likely chose One Battle After Another to disguise their payloads due to the film's success. Following its September 26 premiere, it picked up an industry-leading nine Golden Globe nominations, including Best Picture, and is expected to be an Oscar frontrunner.

// Related Stories

• Your pirated copy of Windows might have just stopped working
• Popular Chrome and Edge extensions go rogue, infecting over 4 million devices with spyware

Viewers wishing to watch One Battle After Another through legitimate sources can purchase it on digital storefronts. The film will also begin streaming through HBO Max on December 19, with a physical media release scheduled for January 20.