Malware in Subtitles: Scammers Use Leonardo DiCaprio’s “One Battle After Another” to Spread Agent Tesla

One of the year’s most anticipated films starring Leonardo DiCaprio, Battle After Battle, has yet to reach official online distribution, yet it has already become a lure for malware. Ahead of its release on HBO Max, scheduled for December 19, torrent files have begun circulating online that do not contain the film at all, but rather a dangerous malicious program. Bitdefender researchers have issued a warning after detecting a new wave of attacks leveraging the well-known Agent Tesla trojan.

The attackers disguised the malicious code as a purported video file of the movie, offered for download on popular torrent sites. Instead of a standard .mp4 or .mkv file, users receive a folder filled with suspicious contents. Opening it prompts the user to launch a shortcut labeled “CD.lnk,” which marks the beginning of the infection chain. The next stage executes a hidden PowerShell script embedded within a subtitle file named Part2.subtitles.srt. Although the file does contain legitimate subtitles, it also harbors malicious code that activates remote access to the system.

This technique allows a memory-resident malware module to be deployed on the compromised device, which then connects to a command-and-control (C2) server. From there, attackers gain full control over the computer, enabling them to siphon sensitive data—including financial information—or conscript the machine into attacks against other systems. While Agent Tesla itself is a long-established threat, previously distributed mainly via phishing emails, this delivery method using counterfeit subtitles is particularly sophisticated.

The tactic of embedding malicious code in subtitle files has been observed before, but this campaign marks the first time it has been tied specifically to Battle After Battle. The attackers are likely targeting users unfamiliar with the risks of pirated content and inexperienced with torrent downloads. The film’s popularity—directed by Paul Thomas Anderson and already garnering multiple accolades—makes it an ideal bait for audiences seeking free access to high-profile new releases.

The film has already been named Best Picture by the New York Film Critics Circle and leads the list of nominees for the London Film Critics’ Awards. Its cast includes Leonardo DiCaprio, Sean Penn, Teyana Taylor, Regina Hall, Benicio del Toro, and newcomer Chase Infiniti.

Given the intense anticipation surrounding the release, experts warn that attempts to distribute malware under its guise are likely to escalate. While seasoned users are unlikely to run a suspicious script merely to watch a movie, less experienced individuals risk turning their devices into unwitting zombie computers.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy