Fake Movie Torrent Delivers Agent Tesla Infostealer via Subtitles in 2024
Executive Summary
In early June 2024, cybersecurity researchers discovered that a malicious torrent purporting to offer the Leonardo DiCaprio film 'One Battle After Another' was distributing infostealer malware through booby-trapped subtitle files. Unsuspecting users who downloaded the fake torrent were exposed to malicious PowerShell loaders, which delivered the Agent Tesla remote access trojan (RAT). This malware enabled attackers to steal sensitive credentials, exfiltrate data, and remotely monitor infected devices, highlighting how threat actors weaponize popular entertainment content to bypass user defenses and propagate infostealers.
The incident underscores the evolving threat landscape in which cybercriminals exploit widely-used file formats and trusted brands to lure victims. Multimedia supply chains are increasingly being targeted through creative means—such as doctored subtitles—with infostealers and RATs surging in popularity. Organizations and individuals must heighten their vigilance, especially as compliance scrutiny and attack techniques grow more sophisticated.
Why This Matters Now
This incident spotlights the urgent need for robust endpoint and network protections, as attackers are capitalizing on entertainment-driven social engineering to bypass traditional security controls. Infostealer campaigns leveraging disguised files and media content are on the rise, making proactive threat detection and user awareness critical to prevent credential theft and data loss.
Attack Path Analysis
The attacker lured victims with a fake torrent containing malicious subtitle files, leading to initial compromise via a PowerShell-based malware loader. Upon execution, the malware established persistence and elevated privileges to enable further access. Lateral movement may have occurred within the cloud or enterprise network through internal communication channels. The Agent Tesla RAT established outbound command and control communications to exfiltrate sensitive data. Exfiltration was carried out over the network, potentially using encrypted or covert channels. The impact consisted of information theft and device compromise, with further risks of credential exposure and business disruption.
Kill Chain Progression
Initial Compromise
Description
A malicious torrent file delivered an infected subtitle file, which ran a PowerShell-based loader that executed Agent Tesla RAT upon opening with a media player.
Related CVEs
CVE-2017-11292
CVSS 10A use-after-free vulnerability in Adobe Flash Player allows remote attackers to execute arbitrary code via a crafted SWF file.
Affected Products:
Adobe Flash Player – < 27.0.0.183
Exploit Status:
exploited in the wildCVE-2018-4878
CVSS 10A use-after-free vulnerability in Adobe Flash Player allows remote attackers to execute arbitrary code via a crafted SWF file.
Affected Products:
Adobe Flash Player – < 28.0.0.161
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
User Execution: Malicious File
Command and Scripting Interpreter: PowerShell
Phishing: Spearphishing Attachment
Deobfuscate/Decode Files or Information
Screen Capture
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Custom and Shared Software
Control ID: 2.6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 8
CISA ZTMM 2.0 – User and Workload Segmentation
Control ID: 3.2.1
NIS2 Directive – Detection and Response Capabilities
Control ID: Article 21.2(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Entertainment/Movie Production
High risk from Agent Tesla infostealer targeting industry content through fake torrents, threatening intellectual property theft and credential compromise.
Media Production
Vulnerable to PowerShell-based infostealers distributed via malicious torrents, requiring enhanced egress security and threat detection for content protection.
Information Technology/IT
Critical exposure to sophisticated malware loaders hiding in subtitle files, necessitating advanced anomaly detection and zero trust segmentation implementation.
Computer Software/Engineering
Elevated threat from RAT malware targeting development environments through social engineering, demanding robust east-west traffic security and encryption controls.
Sources
- Fake ‘One Battle After Another’ torrent hides malware in subtitleshttps://www.bleepingcomputer.com/news/security/fake-one-battle-after-another-torrent-hides-malware-in-subtitles/Verified
- 2021 Top Malware Strainshttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-216aVerified
- COVID-19 Exploited by Malicious Cyber Actorshttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-099aVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, internal east-west controls, egress policy enforcement, and real-time threat detection would have significantly constrained the malware's ability to move laterally, establish outbound C2, and exfiltrate data—even after initial compromise. Microsegmentation and workload isolation limit attacker movement, while policy-driven egress controls and cloud-native detection block C2 and credential exfiltration.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of PowerShell-based malware behaviors and alerting for incident response.
Control: Zero Trust Segmentation
Mitigation: Limits malicious process access to sensitive workloads and networks.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized internal connections and detects lateral movement attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Stops outbound C2 traffic and data staging via DNS or HTTP(S).
Control: Encrypted Traffic (HPE) & Inline IPS (Suricata)
Mitigation: Detects and blocks suspicious data exfiltration attempts, even over encrypted channels.
Centralizes observability and audit for rapid containment and recovery.
Impact at a Glance
Affected Business Functions
- Media Streaming
- Content Delivery
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of user credentials and personal information due to malware infection.
Recommended Actions
Key Takeaways & Next Steps
- • Implement comprehensive Zero Trust segmentation to strictly isolate workloads and prevent intra-network malware spread.
- • Enforce policy-driven egress filtering to block unauthorized outbound communications and C2 domains.
- • Deploy inline threat detection and anomaly response for early identification and response to script-based and fileless malware.
- • Maintain real-time visibility into hybrid/multi-cloud environments to efficiently detect, investigate, and respond to suspicious events.
- • Regularly audit and refine internal access controls to minimize privilege abuse risks from compromised endpoints.
