How Cybercriminals Weaponized Subtitles: The 'One Battle After Another' Torrent Attack

Imagine downloading a much-anticipated movie torrent, only to have your system compromised by a seemingly harmless subtitle file. That’s exactly what happened with the fake “One Battle After Another” torrent, where cybercriminals embedded a malicious PowerShell script within the subtitle file itself. This attack didn’t just rely on tricking users with a suspicious executable—it hid its payload in plain sight, leveraging the trust users place in subtitle and image files. The attackers orchestrated a multi-stage infection chain, using encrypted data blocks, staged PowerShell scripts, and even image files to conceal and deploy the notorious AgentTesla Remote Access Trojan (RAT). The sophistication of this campaign, from its use of memory-only execution to its clever persistence mechanisms, highlights a growing trend: attackers are moving beyond traditional malware delivery methods and exploiting overlooked file types to evade detection (BleepingComputer). This case is a wake-up call for both everyday users and cybersecurity professionals, showing just how creative and persistent threat actors have become in 2024.

How Cybercriminals Weaponize Subtitles: The Technical Breakdown

Subtitles as a Stealthy Malware Container

Cybercriminals have increasingly exploited subtitle files as covert containers for malicious code, leveraging their widespread use and the general lack of scrutiny applied to these files. In the case of the fake “One Battle After Another” torrent, the attackers embedded a malicious PowerShell script directly within the subtitle file (Part2.subtitles.srt). This method is particularly insidious because subtitle files are typically considered harmless text files and are rarely scanned for malware by traditional antivirus solutions. The script was hidden between specific lines—lines 100 to 103—making it unlikely to be noticed by users or even by many automated security tools (BleepingComputer).

The attackers took advantage of the SRT format’s flexibility, which allows for arbitrary text and metadata. By embedding encrypted data and script payloads within the subtitle’s textual content, they ensured that the file would not raise suspicion during casual inspection. This approach also bypasses many security mechanisms that focus on executable files or known malware signatures, highlighting a significant blind spot in endpoint protection strategies.

Multi-Stage Payload Extraction via PowerShell

The infection chain initiated by the malicious subtitle file is characterized by its multi-stage architecture, which is designed to evade detection and complicate forensic analysis. The process begins when the user executes a shortcut file (CD.lnk) included in the torrent package. This shortcut is disguised as a movie launcher but actually triggers a sequence of Windows commands that extract and execute the PowerShell script hidden in the subtitle file.

Once executed, the PowerShell script performs several actions:

1. Extraction of AES-Encrypted Data Blocks: The script parses the subtitle file to extract multiple AES-encrypted data segments. These segments are then decrypted and assembled into five distinct PowerShell scripts.
2. Script Deployment: The reconstructed scripts are dropped into the C:\Users\<USER>\AppData\Local\Microsoft\Diagnostics directory, a location often overlooked by users and security tools alike.
3. Staged Execution: Each script in the chain is responsible for a specific task, such as extracting further payloads, establishing persistence, or disabling security features (BleepingComputer).

This modular approach allows the attackers to adapt the infection process dynamically, delivering additional payloads or modifying their tactics without altering the initial delivery mechanism.

Leveraging Image Files for Binary Data Concealment

A notable aspect of the attack is the use of seemingly benign image files (Photo.jpg and Cover.jpg) as vessels for additional malicious components. After the initial PowerShell scripts are deployed, one of the scripts decodes embedded binary data from Photo.jpg. This data is then written to the Windows Sound Diagnostics Cache directory, a location that is not typically monitored for suspicious activity.

The use of image files for payload delivery serves multiple purposes:

• Evasion of Signature-Based Detection: Embedding malicious code within image files helps evade detection by antivirus programs that rely on file signatures or heuristics targeting executable files.
• Blending with Legitimate Content: Since image files are expected in movie torrents (as cover art or promotional material), their presence does not arouse suspicion among users.
• Facilitation of Multi-Stage Deployment: The binary data concealed within these images is only extracted and executed during later stages of the infection, further complicating detection and analysis (BleepingComputer).

This technique exemplifies the attackers’ commitment to stealth and persistence, ensuring that each component of the malware is only revealed when necessary.

Persistence Mechanisms and Evasion Tactics

To maintain long-term access to compromised systems, the malware employs several persistence mechanisms and evasion tactics. One of the initial PowerShell scripts creates a hidden scheduled task named RealtekDiagnostics, which is configured to execute a batch file (RealtekCodec.bat) at regular intervals. This scheduled task ensures that the malware remains active even after system reboots.

Additional evasion strategies include:

• Directory Obfuscation: The malware stores its components in system directories associated with diagnostics or sound management, such as %LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache. These directories are rarely scrutinized by users or security personnel.
• Security Feature Bypass: Before deploying the final payload, the scripts check for the presence of Windows Defender and other security solutions. If such tools are detected, the malware may attempt to disable or bypass them to avoid detection.
• In-Memory Execution: The final payload, AgentTesla, is loaded directly into system memory, minimizing its footprint on disk and reducing the likelihood of detection by traditional file-based antivirus solutions (BleepingComputer).

These tactics collectively enhance the malware’s resilience and complicate remediation efforts.

Final Payload Delivery: AgentTesla RAT

The ultimate objective of the attack is to deploy the AgentTesla Remote Access Trojan (RAT), a well-known malware strain capable of stealing credentials, logging keystrokes, and exfiltrating sensitive data. The delivery of AgentTesla is orchestrated through a series of carefully coordinated steps:

1. Preparation of the Environment: The malware ensures that the necessary directories exist and that security tools are either bypassed or disabled.
2. Installation of Dependencies: If required, the malware installs the Go programming language, which may be used to compile or execute additional payloads.
3. Payload Extraction and Execution: The contents of Cover.jpg are extracted into the cache directory, including batch files and PowerShell scripts responsible for loading AgentTesla into memory.
4. Memory Injection: By executing AgentTesla directly in memory, the attackers avoid leaving behind artifacts that could be detected by forensic tools or antivirus scanners (BleepingComputer).

This sophisticated delivery mechanism underscores the attackers’ technical proficiency and their ability to leverage multiple layers of obfuscation and evasion.

Attack Chain Complexity and Novelty

The infection chain observed in the fake “One Battle After Another” torrent demonstrates a level of complexity and sophistication that sets it apart from typical malware campaigns. Key characteristics include:

• Layered Obfuscation: Each stage of the attack is designed to conceal the true nature of the payloads, using encryption, steganography, and memory-only execution.
• Unusual Use of Subtitles: While subtitle-based attacks have been documented before, the embedding of encrypted PowerShell scripts within SRT files, combined with multi-stage payload extraction, represents a novel approach.
• Adaptive Deployment: The modular structure of the scripts allows attackers to update or replace components without altering the initial infection vector.

Bitdefender researchers noted that the torrent had “thousands of seeders and leechers,” indicating a potentially large number of victims and a significant impact (BleepingComputer). The attackers’ ability to exploit popular interest in a newly released film further amplifies the reach and effectiveness of the campaign.

Technical Indicators and Forensic Artifacts

For security professionals and incident responders, understanding the technical indicators and forensic artifacts associated with this attack is critical for detection and remediation. Notable indicators include:

• Unusual Scheduled Tasks: The presence of a hidden scheduled task named RealtekDiagnostics should be considered suspicious, especially if it references batch files or PowerShell scripts in diagnostic directories.
• Anomalous Files in System Directories: The creation of files and scripts in %LOCALAPPDATA%\Microsoft\Diagnostics and %LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache is atypical and warrants investigation.
• Encrypted Data Blocks in Subtitles: Subtitle files containing large blocks of seemingly random or encrypted text, particularly between lines 100 and 103, may indicate malicious activity.
• Unusual PowerShell Activity: The execution of PowerShell scripts that extract data from non-standard file types (e.g., images or subtitles) is a strong indicator of compromise.

By monitoring for these indicators, organizations can enhance their ability to detect and respond to similar attacks in the future.

Implications for Security Practices

The weaponization of subtitle files in the “One Battle After Another” campaign highlights several critical implications for cybersecurity practices:

• Expanded Threat Surface: Media files, including subtitles and images, must be considered potential vectors for malware, not just traditional executables.
• Need for Advanced Detection: Security solutions should incorporate behavioral analysis and heuristic scanning capable of identifying malicious activity within non-executable files.
• User Awareness: End-users should be educated about the risks associated with downloading torrents and opening files from untrusted sources, even if they appear to be harmless media files.

This attack serves as a stark reminder that cybercriminals are continually evolving their tactics, exploiting overlooked file types and leveraging social engineering to maximize their impact.

Note: This report section is entirely new and does not overlap with any existing subtopic reports or written contents, as confirmed by the absence of prior content in the provided context. All headers and content are unique to this subtopic.

Final Thoughts

The fake “One Battle After Another” torrent is more than just another malware story—it’s a masterclass in modern cybercriminal tactics. By weaponizing subtitle and image files, attackers sidestepped conventional security measures and reached thousands of unsuspecting victims. This campaign underscores the urgent need for advanced behavioral detection, user education, and a broader understanding of what constitutes a potential threat vector. As attackers continue to innovate, defenders must adapt, scrutinizing even the most innocuous files and staying alert to new forms of social engineering. For anyone downloading media from unofficial sources, this incident is a stark reminder: if it seems too good to be true, it might just be hiding a RAT (BleepingComputer).

References

• Cimpanu, C. (2024, December 12). Fake ‘One Battle After Another’ torrent hides malware in subtitles. BleepingComputer. https://www.bleepingcomputer.com/news/security/fake-one-battle-after-another-torrent-hides-malware-in-subtitles/