Your movie subtitle from torrent could be a password stealer!
A massive Agent Tesla campaign hiding in plain sight within a viral Leo DiCaprio film subtitle torrent. 🧵👇
https://alirezagharib.net
Alireza Gharib
@gh4rib
- 1 Followers
- 12 Following
- 43 Posts
5/5 Monitor for powershell.exe with a command line containing select -Skip targeting .srt files. That’s a 100% indicator of this campaign.
#CyberSecurity #AgentTesla #BlueTeam #Malware #Torrent #SOC #Infosec2025
4/5 The effect
We’re seeing a possible thousands of active infections. This "old" Trojan is stealing:
VPN/Email logins
Browser session tokens
Live screenshots
3/5 Persistence & Stealth
It creates a scheduled task for a fake "Realtek" diagnostic tool. Before it runs, it checks for Windows Defender. If it's clear, Agent Tesla is loaded straight into memory. No file on disk = no easy footprint for AV.
2/5 It is deep!
It extracts encrypted blocks from the video file and images, moving them to:
%LOCALAPPDATA%\Packages\Microsoft.WindowsSoundDiagnostics\Cache
By splitting the payload, it bypasses traditional static file scanners.
1/5 The "Subtitle" Trap
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
The attack starts with a shortcut launcher. It triggers a PowerShell command buried in a .srt file using math to evade detection.
$s=500*5 skips the subtitles.
$e=15*2 grabs the payload.
It literally "hides" the malware in the text you'd read on screen.
Check out the full release notes here:
https://www.qubes-os.org/news/2025/12/21/qubes-os-4-3-0-has-been-released/
#CyberSecurity #InfoSec #QubesOS #ZeroTrust #OpenSource #Virtualization #Privacy
Qubes OS 4.3.0 has been released!
We’re pleased to announce the stable release of Qubes OS 4.3.0! This minor release includes a host of new features, improvements, and bug fixes. The ISO and associated verification files are available on the downloads page. What’s new in Qubes 4.3? Dom0 upgraded to Fedora 41 (#9402). Xe...
5/5 Upgraded Templates: Fresh support for Whonix18, Debian13, and Fedora42 means our isolated env are running the latest security patches and toolsets.
For handling high-risk workloads, sensitive infrastructure access, or malware analysis, Qubes OS remains the gold standard for endpoint security.
For handling high-risk workloads, sensitive infrastructure access, or malware analysis, Qubes OS remains the gold standard for endpoint security.
4/5 New Device API: The "self-identity oriented" device assignment makes managing untrusted hardware (USB, PCI) more intuitive and granular. In an era of BadUSB and firmware attacks, this is a non-negotiable feature.
3/5 GUI Domain Evolution: The continued progress on the GUIVM (GUI/Admin domain splitting) is a massive win. By moving the graphical stack out of Dom0, the Trusted Computing Base (TCB) is further reduced, minimizing the impact of potential GPU or display driver exploits.