Analyst note: This post is based on public reporting and technical details published by Bitdefender Labs. Where appropriate, I have paraphrased the tradecraft and focused on defender-relevant takeaways (telemetry, hunts, and hardening), rather than “how to reproduce” the technique.

Why this is worth your attention

We have all seen “malware in torrents” headlines. What makes this one blog-worthy is how the threat actor uses otherwise mundane file types—an LNK shortcut and a subtitle file—as the scaffolding for a surprisingly deep, layered execution chain.

Bitdefender Labs reported a spike in detections tied to a torrent pretending to be Leonardo DiCaprio’s One Battle After Another, but the “movie” is actually a bundle of staged scripts and disguised archives that ultimately reconstruct a memory-resident Agent Tesla payload. The campaign is notable for:

  • Living-off-the-land execution (CMD, PowerShell, Task Scheduler)
  • Multi-layer staging in a subtitle file (the .srt contains real subtitles and embedded script blocks)
  • Encrypted/encoded payload material unpacked from disguised “media” files
  • Persistence via Scheduled Task masquerading as audio/driver diagnostics
  • In-memory payload execution (final stage not written as a traditional on-disk executable)

If your environment has users who download pirated content (or you are responsible for home endpoints), this is the kind of infection chain that can slip past “common sense” defenses because every step looks like a normal Windows action—until you correlate the sequence.

Executive summary

Initial access: User downloads a torrent bundle that appears to contain a movie.
Trigger: User clicks CD.lnk (a fake movie launcher).
Staging container: Part2.subtitles.srt (real subtitles plus hidden batch/PowerShell blocks at specific line ranges).
Decryption/unpacking: PowerShell decrypts and drops staged scripts, then unpacks disguised archives (.m2ts as a zip, Photo.jpg as encoded binary blobs, Cover.jpg as a passworded archive).
Persistence: Scheduled Task RealtekDiagnostics (“Audio Helper”) executes RealtekCodec.bat.
Loader chain: Scripts check Defender, attempt to install Go, compile a loader (RealtekAudioService).
Payload: Parts are concatenated/decoded from part1.txt, part2.txt, part3.txt and executed in memory (Agent Tesla).

Threat model and assumptions

This post assumes you are defending Windows endpoints with some blend of:

  • EDR telemetry (process, command line, parent/child)
  • Windows Event Logs / PowerShell logging
  • Optional Sysmon
  • Some central query capability (KQL, Splunk, Elastic, etc.)

If you only have “basic AV” and no process/command-line visibility, the defender’s advantage shifts to constraining execution (AppLocker/WDAC, Attack Surface Reduction rules, removing local admin, and user education).

Infection chain (visual)

Torrent download (fake "One Battle After Another")
  ├─ CD.lnk  (fake launcher)
  │    └─ cmd.exe extracts specific lines from Part2.subtitles.srt and executes them
  │         └─ powershell.exe reads deeper line ranges from the same .srt and executes them
  │              └─ decrypts AES blocks -> drops staged PS scripts into %LOCALAPPDATA%\Microsoft\Diagnostics
  │                   ├─ Script: unpack fake .m2ts archive
  │                   ├─ Script: create Scheduled Task (RealtekDiagnostics)
  │                   ├─ Script: decode Photo.jpg -> writes multiple files into WindowsSoundDiagnostics\Cache
  │                   ├─ Script: ensure Cache folder exists
  │                   └─ Script: unpack Cover.jpg archive -> drops loader parts + helper scripts
  │                        └─ Scheduled Task runs RealtekCodec.bat -> RealtekDriverInstall.ps1
  │                             ├─ checks Defender
  │                             ├─ installs Go toolchain (if needed)
  │                             ├─ compiles RealtekAudioService (loader)
  │                             └─ executes RealtekAudioSyncHelper.bat -> reads Part3.Resolution
  │                                  └─ concatenates part1/2/3 -> decode -> in-memory Agent Tesla
  └─ Part2.subtitles.srt (real subtitles + embedded stagers)

Stage 1: The fake launcher (CD.lnk)

The user sees a shortcut named CD.lnk that looks like it will play the movie. When clicked, it runs a cmd.exe pipeline that reads Part2.subtitles.srt, enumerates lines, selects a specific line range, and executes the extracted content.

Screenshot placeholder

  • [Screenshot: LNK file properties – target path and arguments]

Defender takeaways

  • Treat .lnk as executable content.
  • Detect .lnk launches that immediately spawn cmd.exe / powershell.exe.
  • Flag pipelines that read a local text file and then execute extracted lines.

Stage 2: “Hidden code inside subtitles” (Part2.subtitles.srt)

The .srt file contains legitimate subtitle text, but specific line ranges include embedded batch and PowerShell stagers. Bitdefender notes an early stage extracts a few lines (e.g., ~100–103) and then a subsequent PowerShell stage skips thousands of lines and executes a larger block.

Screenshot placeholders

  • [Screenshot: subtitle file showing normal subtitles with a malicious block in a specific line range]
  • [Screenshot: process tree showing CD.lnk → cmd.exe → powershell.exe]

Defender takeaways

  • Alerts should focus on behavior, not file extension:
    • powershell.exe reading .srt, .txt, .jpg, .m2ts is not normal.
  • Consider ASR rules that restrict or audit suspicious PowerShell behaviors (see “Hardening” section).

Stage 3: Decrypting embedded payload blocks (AES) and dropping scripts

Bitdefender reports that PowerShell parses encrypted data blocks from later line ranges of the same subtitle file, decrypts them (AES), and writes multiple PowerShell scripts to:

  • %LOCALAPPDATA%\Microsoft\Diagnostics

These scripts orchestrate the remaining stages.

Screenshot placeholders

  • [Screenshot: dropped scripts in %LOCALAPPDATA%\Microsoft\Diagnostics]
  • [Screenshot: PowerShell Script Block event showing AES decrypt routine]

Defender takeaways

  • Any new .ps1 files appearing under Diagnostics folders should be suspicious.
  • PowerShell logging (Script Block Logging) is extremely valuable here because the final stage runs in memory.

Stage 4: Disguised “media” as containers

4.1 Fake video file (One Battle After Another.m2ts) is an archive

One stage treats a .m2ts “video” as a compressed archive and extracts it using any available extractor: built-in Expand-Archive or common third-party archivers (WinRAR/7-Zip/Bandizip).

Screenshot placeholders

  • [Screenshot: file type / header mismatch for .m2ts (archive signature)]
  • [Screenshot: extraction commands / tool usage]

Defender takeaway: look for extraction utilities being invoked on files with “movie-like” names in user download directories.

4.2 Photo.jpg contains encoded binary blobs

A later stage reads Photo.jpg byte-by-byte and decodes embedded files into:

  • %LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache

This is a clever choice: it resembles a plausible “Windows cache” location and will often be ignored by users.

Screenshot placeholders

  • [Screenshot: decoded files written into WindowsSoundDiagnostics\Cache]
  • [Screenshot: entropy/structure for Photo.jpg suggesting it is not a real photo]

4.3 Cover.jpg is a passworded archive

Bitdefender describes another disguised archive, Cover.jpg, extracted into the same cache folder. The “password protection” is performative (the password reported is trivial), but the net effect is to add friction for casual inspection.

Screenshot placeholder

  • [Screenshot: archive tool extracting Cover.jpg into Cache folder]

Stage 5: Persistence via Task Scheduler (RealtekDiagnostics)

A dedicated script establishes persistence by creating a Scheduled Task named:

  • Task name: RealtekDiagnostics
  • Description: “Audio Helper”
  • Action: cmd.exe /c start /min "" "<CachePath>\RealtekCodec.bat"
  • Trigger: one minute after creation and/or on logon
  • Run context: current user; task hidden

This blends in as a plausible audio/driver component.

Screenshot placeholders

  • [Screenshot: Task Scheduler showing RealtekDiagnostics task details]
  • [Screenshot: on-disk RealtekCodec.bat / RealtekDriverInstall.ps1 in Cache folder]

Defender takeaways

  • Alert on Scheduled Task creation where:
    • Task name resembles vendor/driver tooling but points into user-writable paths
    • Task action spawns cmd.exe that runs a .bat from %LOCALAPPDATA%
  • Monitor Schedule.Service COM usage via PowerShell where possible.

Stage 6: Loader chain and in-memory payload execution

When the Scheduled Task runs, RealtekCodec.bat executes RealtekDriverInstall.ps1, which Bitdefender reports performs actions such as:

  • Checking whether Windows Defender is active
  • Attempting to install the Go programming language
  • Compiling a component (RealtekAudioService) that serves as a next-stage loader
  • Reusing the existing Scheduled Task for persistence

Finally, another script reads Part3.Resolution and at a specific line number concatenates part1.txt, part2.txt, part3.txt, decodes the combined content, and executes the final payload in memory (Agent Tesla). Bitdefender notes it contains the routines to establish C2, but they did not attempt external connectivity and therefore did not identify the remote endpoint.

Screenshot placeholders

  • [Screenshot: RealtekAudioService.go and compiled output]
  • [Screenshot: RealtekAudioSyncHelper.bat reading Part3.Resolution]
  • [Screenshot: memory-only payload execution evidence (EDR view / AMSI logs)]

Defender takeaways

  • Watch for unexpected Go toolchain installation on endpoints.
  • Monitor process ancestry:
    • schtasks.exe / Task Scheduler → cmd.exepowershell.exe
  • Detect concatenation/decoding patterns from multiple .txt parts leading into powershell.exe.

MITRE ATT&CK mapping (practical)

This campaign maps cleanly into familiar ATT&CK categories:

  • T1204 User Execution – user clicks the launcher (.lnk)
  • T1059.003 Command and Scripting Interpreter: Windows Command Shellcmd.exe pipeline
  • T1059.001 PowerShell – staged PowerShell execution
  • T1027 Obfuscated/Compressed Files and Information – encrypted/encoded blocks and disguised archives
  • T1053.005 Scheduled Task/Job: Scheduled Task – persistence via Task Scheduler
  • T1105 Ingress Tool Transfer / staged retrieval – embedded payload material unpacked locally
  • T1055 Process Injection / In-memory execution (conceptually) – memory-resident payload (per Bitdefender)

Detection engineering: What to hunt for

Below are “defender-friendly” pivots that should hold up even if the lure file names change.

1) LNK-triggered command execution

Signal: .lnk execution spawning cmd.exe or powershell.exe with text-processing pipelines.

  • Parent process: explorer.exe → child cmd.exe / powershell.exe
  • Command-line indicators:
    • type <file> | more | findstr /n
    • select -Skip / -First style extraction
    • “read lines from file then execute”

Screenshot placeholder

  • [Screenshot: EDR telemetry showing the exact command line]

2) PowerShell reading non-script “media” extensions

Signal: powershell.exe opening .srt, .jpg, .m2ts and then writing executable/script content.

Pivots:

  • File reads: *.subtitles.srt, Photo.jpg, Cover.jpg, *.m2ts
  • Output directory: %LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
  • Dropped stage scripts: %LOCALAPPDATA%\Microsoft\Diagnostics\*.ps1

3) Scheduled Task masquerading as “audio diagnostics”

Signal: task name/description looks benign, but action points to user-writable location.

  • Task name: RealtekDiagnostics
  • Description: “Audio Helper”
  • Action: cmd.exe launching .bat from the Cache directory

4) Unexpected Go compilation on endpoints

If Go is not part of your approved developer toolchain, installation activity is a strong anomaly.

Example hunts (copy/paste friendly)

Microsoft Defender for Endpoint (KQL) – process ancestry

DeviceProcessEvents
| where FileName in~ ("cmd.exe","powershell.exe")
| where InitiatingProcessFileName =~ "explorer.exe"
| where ProcessCommandLine has_any ("findstr /n", "select -Skip", "WindowsSoundDiagnostics", "RealtekDiagnostics")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc

MDE / KQL – suspicious Scheduled Task creation pivot

DeviceProcessEvents
| where ProcessCommandLine has_any ("RegisterTaskDefinition", "schtasks", "Schedule.Service", "RealtekDiagnostics")
   or InitiatingProcessCommandLine has_any ("RegisterTaskDefinition", "RealtekDiagnostics")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by Timestamp desc

Elastic/Splunk-style idea – PowerShell reading “subtitle” files

  • Data source: PowerShell Script Block logs / EDR events
  • Match:
    • *.subtitles.srt
    • gc / Get-Content
    • select -Skip and -First
    • subsequent powershell -f -

YARA: practical “tripwire” for the staging artifacts

This YARA rule is intentionally conservative: it targets the combination of this chain’s distinctive strings (subtitle staging + “WindowsSoundDiagnostics\Cache” + “RealtekDiagnostics” naming), rather than generic PowerShell flags.

Use as an endpoint triage aid against suspicious download folders, not as a universal “Agent Tesla detector.”

rule X1DLabs_MalwareInSubtitles_AgentTesla_Stager
{
  meta:
    author = "Sab0x1D"
    description = "Detects strings consistent with the Bitdefender-reported 'malware in subtitles' staging chain"
    reference = "Bitdefender Labs: Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain"
    date = "2025-12-12"
    tlp = "CLEAR"
  strings:
    $srt1 = "Part2.subtitles.srt" ascii nocase
    $srt2 = "findstr /n "^"" ascii nocase
    $srt3 = "select -Skip" ascii nocase
    $ps1  = "powershell -windowstyle hidden" ascii nocase
    $cache = "\\Packages\\Microsoft.WindowsSoundDiagnostics\\Cache" ascii nocase
    $task1 = "RealtekDiagnostics" ascii nocase
    $task2 = "Audio Helper" ascii nocase
    $file1 = "RealtekCodec.bat" ascii nocase
    $file2 = "RealtekDriverInstall.ps1" ascii nocase
    $file3 = "RealtekAudioService.go" ascii nocase
    $file4 = "Part3.Resolution" ascii nocase
  condition:
    // Require strong staging signals + at least one persistence/loader signal
    (2 of ($srt*)) and (1 of ($cache,$task1,$file1,$file2,$file3,$file4)) and (1 of ($ps1,$srt2,$srt3))
}

Hardening guidance (what actually moves risk)

1) PowerShell and script controls

  • Enable PowerShell Script Block Logging and Module Logging (where feasible)
  • Centralize logs (SIEM) and baseline for “normal” admin activity
  • Use ASR rules (audit first, then block) for risky behaviors:
    • blocking Office/Win32 child-process patterns (where applicable)
    • blocking credential theft / suspicious script behaviors

2) Constrain execution from user-writable paths

  • AppLocker or WDAC policies that restrict:
    • .ps1, .bat, .vbs, .js execution from %USERPROFILE%\Downloads and %LOCALAPPDATA%
  • Consider blocking or auditing .lnk execution from downloads (org-dependent)

3) Reduce “click-to-compromise”

  • Standard user accounts (avoid local admin)
  • SmartScreen and reputation controls
  • User education: “Shortcuts are programs.”

4) Task Scheduler hygiene

  • Alert on Scheduled Tasks created by non-admin users
  • Alert when tasks point into %LOCALAPPDATA%\Packages\...\Cache

Incident response checklist (if you suspect exposure)

  1. Containment
    • Isolate the endpoint from the network
    • Preserve volatile evidence (EDR live response, memory capture if permitted)
  2. Triage
    • Search for:
      • CD.lnk, Part2.subtitles.srt
      • %LOCALAPPDATA%\Microsoft\Diagnostics
      • %LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
      • Scheduled Task RealtekDiagnostics
    • Pull process ancestry and command-lines around first execution time
  3. Eradication
    • Remove scheduled task + staged scripts/artifacts
    • Reset credentials used on the host (Agent Tesla is commonly credential-focused)
    • Review browser session tokens and saved passwords exposure risk
  4. Recovery
    • Reimage if confidence is low (recommended when in-memory payloads are involved)
    • Post-incident hunts for similar behavior across fleet

Closing thoughts

The “malware in the subtitles” angle is catchy, but the more important lesson is operational: attackers are increasingly using boring file types as staging containers, and relying on the fact that defenders (and users) still treat extensions as a proxy for safety.

If you can only implement one improvement after reading this, make it this: tighten PowerShell visibility and control, and alert on Scheduled Tasks that execute from user-writable cache paths. Those two levers would have materially constrained this chain.

References

  • Bitdefender Labs — Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain (Dec 10, 2025)
    https://www.bitdefender.com/en-au/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell
  • SecurityBrief Australia — Fake Leonardo DiCaprio torrent spreads Agent Tesla trojan (Dec 11, 2025)
    https://securitybrief.com.au/story/fake-leonardo-dicaprio-torrent-spreads-agent-tesla-trojan