Fake Leonardo DiCaprio Torrent Spreads Agent Tesla Malware

Cybercriminals are exploiting demand for pirated movies by disguising malware as a fake torrent of One Battle After Another, a new Leonardo DiCaprio film, tricking Windows users into infecting their own systems. 

What appears to be an early-access movie download is actually a carefully staged attack chain that installs Agent Tesla, a powerful remote access trojan.

The malware “… can be used to steal passwords, financial data, and browser information while giving criminals full control over the infected PC,” said Bitdefender researchers.

When Entertainment Becomes an Attack Vector

This campaign highlights how popular entertainment releases remain an effective lure for malware distribution, especially when content is still in theaters or unavailable on mainstream streaming platforms. 

Anyone searching for early access — including users who don’t typically pirate media — can be affected, and infected personal devices may later become entry points into corporate networks.

Bitdefender reported that the campaign has already reached thousands of users, underscoring how quickly demand-driven lures can scale malware operations.

Inside the Fake Torrent Infection Chain

The campaign does not exploit a software vulnerability but instead abuses user trust and familiar torrent behaviors to deliver Agent Tesla. 

Rather than containing a video file, the torrent packages a staged infection chain that begins when users launch a malicious Windows shortcut disguised as a movie file. 

That action triggers hidden batch commands embedded in subtitle files, which in turn execute multiple layers of PowerShell to unpack and run the payload.

The attackers conceal AES-encrypted components inside image archives and establish persistence through a fake Realtek audio diagnostic task, allowing the final Agent Tesla payload to run entirely in memory. 

By relying on built-in Windows tools such as PowerShell, Command Prompt, and Task Scheduler, the malware blends into normal system activity and evades many file-based security controls.

This approach highlights a broader shift toward social engineering and living off the land techniques, where fully patched systems can still be compromised if users are tricked into executing malicious content. 

Even without exploiting a CVE, the attack enables credential theft, remote access, and long-term persistence, demonstrating how trust-based delivery mechanisms remain a powerful vector for modern malware campaigns.

Defending Against Fileless Malware

Malware campaigns delivered through fake media downloads continue to evolve, relying less on exploits and more on user behavior and trusted system tools. 

Defending against these threats requires going beyond basic antivirus protections and focusing on how malware is delivered, executed, and sustained. 

• Block or restrict pirated content and peer-to-peer downloads on corporate devices, treating non-video torrent files as high risk.
• Detect and limit script-based attacks by monitoring PowerShell, enabling logging, and restricting execution of shortcuts and scripts.
• Use endpoint protection capable of identifying memory-resident malware and living-off-the-land techniques.
• Apply application control and least-privilege policies to prevent unauthorized persistence mechanisms and tool abuse.
• Educate users on modern fileless malware tactics and suspicious download behaviors.
• Review and test incident response plans to ensure rapid containment and credential rotation after suspected compromise.

Taken together, these controls lower exposure to fileless threats while keeping security manageable. 

Malware Shifts to Trust-Based Lures

This campaign highlights a broader shift in malware distribution, where attackers favor high-demand lures and trusted system tools over traditional exploit-heavy techniques. 

Popular movies, games, and software releases create reliable opportunities to reach large audiences, while fileless execution helps malware evade detection and persist longer. 

As long as interest in pirated content remains strong, attackers are likely to keep refining these low-effort, high-reach delivery methods.

As attackers abuse what users trust most, zero-trust becomes essential for limiting lateral movement and reducing the blast radius.