According to TechRepublic, cybercriminals are spreading Agent Tesla malware through a fake torrent for “One Battle After Another,” a new Leonardo DiCaprio film. The campaign has already reached thousands of users by exploiting the demand for early-access pirated content. The malware is a powerful remote access trojan that steals passwords, financial data, and browser information while giving attackers full control of the infected PC. The attack chain doesn’t rely on a software vulnerability but instead abuses user trust and built-in Windows tools like PowerShell and Task Scheduler. Researchers from Bitdefender detailed how the fake torrent uses a malicious Windows shortcut and hidden batch commands to deliver its payload entirely in memory.
The sneaky, low-tech infection chain
Here’s the thing: this isn’t some fancy zero-day exploit. It’s basically a digital con job. You download what you think is a movie file, but the torrent actually contains a staged setup. When you launch the disguised shortcut, it triggers hidden commands embedded in subtitle files. Those commands then fire off multiple layers of PowerShell scripts. The attackers even hide the encrypted malware components inside image archives, which is a clever trick. Finally, they establish persistence by creating a fake Realtek audio diagnostic task in Windows Task Scheduler. So the final Agent Tesla payload runs in memory, leaving very little trace on the disk for traditional antivirus to catch. It’s a classic “living-off-the-land” technique, and it’s brutally effective because it looks like normal system activity.
Why this approach is so dangerous
This campaign highlights a major shift. Attackers are moving away from trying to hack the software and are instead focusing on hacking the user. And why wouldn’t they? It’s easier. A hot new movie release is a perfect lure—it attracts a huge audience quickly, including people who might not normally pirate stuff. The real risk isn’t just a messed-up personal laptop, either. An infected personal device can become a backdoor into a corporate network if it’s used for work. Since the malware uses trusted, built-in Windows admin tools, it can fly under the radar of a lot of security software that’s only looking for malicious files. Think about it: your system can be fully patched against every known CVE and still get owned because someone was tricked into double-clicking. That’s a sobering thought.
What you can actually do about it
So, how do you defend against something that looks so normal? Basic antivirus isn’t enough. You need layers. For companies, it starts with policies: block peer-to-peer and torrent traffic on corporate devices. Treat any non-video file in a torrent as a major red flag. Technically, you need to monitor and restrict scripting tools like PowerShell, enabling full logging so you can see when it’s being abused. Endpoint protection needs to be smart enough to spot memory-resident malware and these living-off-the-land behaviors. Application control and least-privilege user accounts are huge here—they can prevent the malware from creating that fake persistence task in the first place. And of course, user education is key. People need to know that “early access” downloads, especially for content still in theaters, are massive risk vectors. It’s about managing both the human and the technical attack surface. For industrial and manufacturing environments where operational technology is critical, this kind of threat is especially pertinent. Securing the interface between IT and OT often starts with hardened hardware, which is why specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, emphasize secure, locked-down configurations as a foundational security step.
The bigger trend in malware
Look, this isn’t a one-off. It’s a blueprint. Malware distribution is increasingly about trust-based lures and stealthy execution. High-demand content—movies, games, software cracks—creates a reliable stream of potential victims. And by using fileless techniques and trusted tools, attackers get better persistence and evasion. As long as people want stuff for free before it’s officially available, these low-effort, high-reach methods will keep evolving. The takeaway? The most common vulnerability isn’t in the code; it’s between the chair and the keyboard. And attackers are investing all their effort in exploiting that.
