According to TechSpot, security researchers at Bitdefender discovered a fraudulent torrent for the Golden Globe-nominated film “One Battle After Another,” which premiered on September 26. The torrent contains an archive disguised as a video file, a subtitle file, and a shortcut labeled “CD.link.” Clicking the shortcut triggers a multi-stage attack where the real subtitle file contains hidden malicious code. The malware uses legitimate Windows tools like CMD and PowerShell in a “living-off-the-land” attack to take control of the device. This specific fake torrent has likely been downloaded thousands of times, and a similar attack using a fake “Mission: Impossible” torrent was spotted back in May. The film is set to begin streaming on HBO Max on December 19.
The subtle art of subtitle attacks
Here’s the thing that makes this attack clever: it’s not just a random .exe file. The hackers went to the trouble of including the actual, legitimate subtitles for the movie. But they’ve woven malicious code right into certain lines of that subtitle file. So, to a casual glance, everything looks perfectly normal. The delivery mechanism—using a shortcut file to launch the payload from a disguised archive—also adds a layer of social engineering. It plays on the user’s expectation of how you’d “start” a movie file. Basically, they’ve made the malicious activity look like a normal part of the viewing process, which is a lot sneakier than the old methods.
Why this keeps happening
This isn’t new, of course. As mentioned, a fake “Mission: Impossible” torrent was caught delivering the Lumma Stealer malware just a few months ago. But it keeps working because the economics are so good for hackers. They target a hugely popular, critically acclaimed film right after its theatrical release, when demand for digital copies is sky-high but legitimate streaming isn’t available yet. “One Battle After Another,” with its nine Golden Globe nods, is a perfect lure. They’re banking on impatience. And let’s be honest, it works. Thousands of downloads for a single malicious package? That’s a successful campaign by any measure.
What can you actually do?
The advice from security pros is always the same: don’t pirate stuff. But that’s not the reality for a lot of people. So if you’re going to venture into those waters, you need to be hyper-aware. Only interact with the actual video file extension you expect (like .mkv, .mp4). Be deeply suspicious of any “helper” files, shortcuts, or executables. Using a service like a seedbox or a debrid service can provide a buffer, keeping the sketchy files off your personal machine. But really, the safest move is to just wait. The movie is hitting HBO Max in a matter of weeks. Is avoiding that short wait really worth the risk of your entire system getting owned? Probably not.
The broader landscape
This incident is a textbook example of how attack vectors evolve. Hackers aren’t just relying on dumb users clicking obvious viruses anymore. They’re crafting scenarios that mimic legitimate software workflows. Using native Windows tools to do their dirty work makes detection by traditional antivirus much harder—it’s just PowerShell doing PowerShell things, until it isn’t. For enterprises, this is a nightmare, as a user bringing this in from a home torrenting session could open a backdoor right into a corporate network. It’s a persistent, low-cost threat that leverages human nature and pop culture trends. And as long as there’s a gap between theatrical release and home availability, these scams will keep finding an audience.
