Cybercriminals Use Fake Leonardo DiCaprio Film Torrent to Spread Agent Tesla Malware

Cybersecurity researchers from Bitdefender have discovered that a fake torrent file of Leonardo DiCaprio’s new film, One Battle After Another, hides a complex series of scripts designed to infect Windows users with a powerful trojan named Agent Tesla.  

When people download the movies, they expect a video file. Instead, the torrent offers a hidden set of PowerShell scripts that unpack, decode, and execute a memory-resident malware payload.  

Criminals use popular movies because the number of people searching for them while they’re still in theaters is higher. Thousands downloaded this torrent, showing that demand for pirated movies fuels dangerous malware campaigns.

Download a movie, get infected

The fake DiCaprio movie doesn’t contain a video file at all. It actually contains a staged attack designed to deploy Agent Tesla – a remote-access trojan that can be used to steal passwords, financial data, and browser information while giving criminals full control over the infected PC.

The attack is designed to trick people who don’t usually pirate media, which is clear if we see what users need to do in order to actually get infected. The torrent also comes with a large number of files, which will make it immediately suspicious to users accustomed to this type of download.

 The torrent launches an attack chain that includes:

• A malicious .lnk shortcut disguised as a movie launcher
• Hidden batch commands embedded inside subtitle files
• Multiple layers of PowerShell execution
• AES-decrypted payloads distributed in image archives
• A fake Realtek audio diagnostic task for persistence
• A memory-only Agent Tesla executable that leaves no traditional files behind

What makes this interesting is that attackers rely on “Living off the Land” techniques – they use Windows’ own tools like CMD, PowerShell, and Task Scheduler, along with apps users might have installed in the past.

You can check out the complete malware analysis in the Bitdefender Labs investigation.

How to stay safe

1. First of all, people shouldn’t be downloading pirated content. Among other issues, it increases the risk of getting infected with Agent Tesla from fake video files.

2. If a movie is still in theaters or premium streaming, any torrent claiming early access is very likely a trap.

3. Movie torrents usually contain video files, so shortcuts, scripts and fake archives are immediate red flags.

4. Modern malware runs in memory and uses built-in Windows tools. Use an advanced security solution such as Bitdefender Total Security to stay safe.

How Bitdefender protects you 

• Bitdefender security solutions block every stage of this attack
• Behavioral detection recognizes malicious PowerShell activity
• Real-time threat protection stops script execution before payloads decrypt
• Network monitoring blocks communication with command-and-control servers
• Ransomware and phishing prevention provides layered defense

Whether attackers hide malware in images, subtitles, fake installers or archives, Bitdefender stops the infection long before Agent Tesla can run.

Frequently asked questions - FAQ

Is downloading movies from torrents safe?

Not really. Attackers now regularly pack malware into fake movies and tv shows.

What happens if Agent Tesla infects my PC?

Criminals gain remote access, steal passwords, monitor activity, and potentially use your PC in future attacks.

Why do attackers use movie torrents?

Because new movies attract a lot of people, especially from inexperienced users who might not know that pirating comes with major security risks.