Fake ‘One Battle After Another’ torrent hides malware in subtitles (www.bleepingcomputer.com)

submitted 2 weeks ago by cm0002@suppo.fi to c/cybersecurity@infosec.pub

12 comments fedilink hide all child comments

top 12 comments

sorted by: hot top controversial new old

[-] someguy3@lemmy.world 32 points 2 weeks ago

When the CD shortcut is executed, it launches Windows commands that extract and run a malicious PowerShell script embedded in the subtitle file between lines 100 and 103.

This PowerShell script will then extract numerous AES-encrypted data blocks from the subtitles file again to reconstruct five PowerShell scripts that are dropped to 'C:\Users<USER>\AppData\Local\Microsoft\Diagnostics.'

The extracted PowerShell scripts act as a malware dropper, performing the following actions on the host:

...

[-] RunJun@lemmy.dbzer0.com 13 points 2 weeks ago

Very interesting. Since I left windows, this isn’t an issue for me but I will be more aware that this can happen now.

[-] FlexibleToast@lemmy.world 8 points 2 weeks ago

Kind of makes me want to install Clam AV just to watch for viruses I wouldn't otherwise know about because I'm using Linux everywhere.

[-] frongt@lemmy.zip 4 points 2 weeks ago

I did that for a while. It didn't find any. I think because there weren't any to find.

[-] Decq@lemmy.world 4 points 2 weeks ago

There isn't really anything new to learn here. It's still the same old, don't run an executable to watch a movie. That the code is partly hidden in the srt/jpg is just a minor implementation detail.

[-] asbestos@lemmy.world 12 points 2 weeks ago

Very interesting approach

[-] altkey@lemmy.dbzer0.com 5 points 2 weeks ago

She said what now?

surprised penguin

[-] REDACTED@infosec.pub 3 points 2 weeks ago

We get it, you ~~vape~~ use arch

[-] chicken@lemmy.dbzer0.com 3 points 2 weeks ago

So wait, literally all it took was putting command line commands on their own line in a subtitles file? Am I interpreting this right

[-] ticoombs@reddthat.com 6 points 2 weeks ago

No/yes. in a text file, there are commands to run, and then made a script to run those commands. They then make the script look like a "double click this to get it to work". Nothing new

[-] chicken@lemmy.dbzer0.com 14 points 2 weeks ago

oh, so it wasn't a video player having an absurd exploit then

[-] Mongostein@lemmy.ca 0 points 2 weeks ago

Why would you try to open a movie with .m2ts ??

this post was submitted on 14 Dec 2025

66 points (98.5% liked)

cybersecurity

5026 readers

49 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub