Full Report
After noticing a spike in detections involving what looked like a movie torrent for One Battle After Another, Bitdefender researchers started an investigation and discovered that it was a complex infection chain. The film, Leonardo DiCaprio's latest, has quickly gained notoriety, making it an attractive lure for cybercriminals seeking to infect as many devices as possible. People often search for the latest movies on the internet, hoping to find a copy of a new release that has just begun its
Analysis Summary
# Tool/Technique: Agent Tesla RAT delivered via Media Lure
## Overview
This describes a complex, multi-stage infection chain initiated by users downloading what they believe to be a torrent for the movie *One Battle After Another* (starring Leonardo DiCaprio). The ultimate payload delivered is the Agent Tesla Remote Access Trojan (RAT), which aims to steal financial and personal information from compromised Windows systems. The attack relies heavily on Living Off the Land (LOTL) binaries and obfuscated PowerShell scripting executed entirely in memory to evade detection.
## Technical Details
- Type: Malware (RAT) / Infection Chain (Technique)
- Platform: Windows
- Capabilities: Remote access, information theft (credentials, financial data), memory-resident execution, multi-stage obfuscation.
- First Seen: The specific torrent campaign was investigated around December 2025, though Agent Tesla has been in use for years.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Via compromised/malicious torrent distribution)
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Used in layered decryption)
- T1218 - Signed Binary Proxy Execution (Leveraging LOTL tools)
- **TA0011 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Implied via subsequent RAT functionality, though main evasion focuses on fileless execution)
- **TA0009 - Collection**
- T1005 - Data from Local System (General capability of RAT)
## Functionality
### Core Capabilities
- **Lure Mechanism:** Uses the notoriety of a new movie (*One Battle After Another*) delivered via a torrent file to trick novice users.
- **Initial Execution:** Leverages a shortcut file (`CD.lnk`) which executes specific lines (100-103) hidden within a seemingly legitimate subtitle file (`Part2.subtitles.srt`).
- **Chain Execution:** Uses a combination of `cmd.exe`, `PowerShell.exe`, and potentially `Task Scheduler` to unpack multiple layers of encrypted data.
- **Fileless Execution:** The primary goal is to execute the final payload entirely in memory to avoid writing files to disk, aiding evasion.
### Advanced Features
- **Multi-stage Scripting:** Utilization of layered, obfuscated scripts to progressively decrypt and execute the final payload.
- **LOTL Utilization:** Heavy reliance on legitimate Windows utilities (`cmd`, PowerShell) for execution, masking malicious activity as system processes.
- **RAT Deployment:** Successful stages lead to the deployment of Agent Tesla, a known Remote Access Trojan capable of comprehensive system access and data exfiltration.
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names:
- Suspect Torrent Content (e.g., related to *One Battle After Another*)
- `CD.lnk` (Shortcut file)
- `Part2.subtitles.srt` (File containing embedded batch code)
- Registry Keys: Not explicitly mentioned for this initial infection stage.
- Network Indicators: Not explicitly mentioned for C2 addresses, as this focuses on the initial delivery mechanism.
- Behavioral Indicators:
- Execution of `cmd.exe` piping output from `type` and `findstr` commands against an SRT file.
- Subsequent execution of obfuscated `powershell.exe` commands involving layered decryption.
- Memory-resident payload execution.
## Associated Threat Actors
- Threat actors utilizing Agent Tesla (No specific APT group linked to this exact torrent campaign, but Agent Tesla is widely used by various financially motivated groups).
## Detection Methods
- Signature-based detection: Against known Agent Tesla binaries (if they eventually write to disk, though unlikely in this fileless approach).
- Behavioral detection: Monitoring suspicious sequences involving `.lnk` files launching shell commands that process non-standard data files (like SRTs) via `more | findstr` pipes, followed by PowerShell execution.
- YARA rules: Not provided in the context.
## Mitigation Strategies
- **User Education:** Training users, especially novices, about the dangers of downloading pirated content and executing files from untrusted torrents.
- **Application Control:** Restricting the execution of PowerShell scripts or requiring whitelisting for script execution unless signed properly.
- **Endpoint Protection:** Deploying EDR solutions capable of detecting advanced fileless techniques and LOLBins usage in complex chains.
- **File Integrity Monitoring:** Monitoring files like `.srt` or `.lnk` for unexpected content or execution patterns.
## Related Tools/Techniques
- **Agent Tesla:** The final deployed RAT.
- **Lumma Stealer:** Mentioned as infostealer previously distributed via fake *Mission: Impossible* torrents, showing a pattern of media-lure usage.
- **Living Off the Land (LOTL) Techniques:** Use of CMD and PowerShell for execution and evasion.