Your obsession with the Academy Awards might drain your bank account. Cybernews researchers found that illegally downloading this year's Oscar winners may result in installing dangerous wallet-draining malware.
If you’re currently scouring the dark corners of the web to catch Paul Thomas Anderson’s One Battle After Another, which swept this year's Oscars, you might end up with your crypto wallets drained.
A new investigation by the Cybernews research team has identified a malware campaign dubbed Efimer, which is relentlessly targeting movie fans during the biggest industry event of the year, the 97th Academy Awards.
The premise is a classic honeypot. When movie buffs try to pirate the year’s “Best Picture” nominees, such as Marty Supreme, Bugonia, or Frankenstein, instead of a high-definition rip, they are downloading a script that will attempt to empty their digital wallets.
Google is a trap: attackers are exploiting SEO
The most staggering discovery isn't that digital piracy is dangerous. We’ve known it since the Napster era – programs that download stuff might also download trojans.
However, while obscure piracy software might seem the main source of all the vice, apparently, more mainstream choices are more lethal.
Researchers scraped the Distributed Hash Table (DHT), a decentralized record of peers and torrent metadata, and also checked popular torrent sites for Oscar-nominated movies. All of them were surprisingly clean. There was no malware packed into the torrent files.
But the key danger came from Google search. The team found that users are most likely to install malware when searching for downloads of popular, trendy movies on Google. When researchers entered queries like "[Movie Title] [release date] torrent download," 12.11% of Google results were malicious.
The Efimer actors have weaponized SEO by hijacking vulnerable WordPress sites to spread malware. Legitimate business sites have been compromised through brute-force attacks to host fake torrent landing pages.
Efimer has been casting a wide net since 2024. While the campaign is not exclusively targeting Oscar-nominated films, our researchers confirmed that the Efimer malware campaign has co-opted every single film on this year’s Best Picture nominees list.
The most “dangerous” Oscars 2026 winners and nominees
The analysis showed which movie titles were most frequently linked to malicious results. Marty Supreme had the highest number with 16 malicious links, followed by Bugonia with 15. Sinners, which won four Oscars this year for Best Actor, Best Original Screenplay, Best Original Score, and Best Cinematography, was linked with 12 malicious Google search results.
Other titles included The Secret Agent (11), Train Dreams (10), and Sentimental Value (9). Even Best Picture winner One Battle After Another, which took home six Oscars, had five malicious results.
The Oscar-winning movies, such as Best Sound winner F1: The Movie, had five malicious results, and Best Actress winner Hamnet had four. The Best Production Design winner, Frankenstein, was linked to three malicious links.
How do hackers compromise you via Best Picture nominees?
Imagine that you’re searching for an Oscar-nominated film to download. You come across a WordPress site with a download link and click it. What happens next? Our researchers outline the entire infection process as follows:
- You download a torrent file titled movie_33463_data.torrent
- Inside is a password-protected ZIP to hide from antivirus software and a helpful little script named 1. Disable Defender.bat
- Then comes the lie about the codec: “You need this special player to watch the movie.” To back up the deception, there is a fake "video file" and an installer for software called Xmpeg. While Xmpeg is a legitimate open-source tool for converting and encoding video files, this particular version contains malware
- Once you install Xmpeg, you install the Efimer malware
Inside your machine, Efimer malware monitors the clipboard. When it detects you’re about to send a crypto transaction, it silently replaces the recipient’s address with the attacker’s. It also harvests seed phrases.
Our researchers noted that the malware campaign only targets Windows users.
The “red flag” checklist: how to spot the Efimer malware
The safest way to avoid downloading malware while trying to watch a movie is to always use legitimate streaming platforms or authorized distributors. However, no one is immune to accidentally clicking a malicious link.
If you encounter any of these while searching for a stream or download, close the tab immediately.
1. The "weird text" trick
Look closely at the website’s text. Does it use some weird fonts? That might be an indicator that something suspicious is going on.
If you see "𝚃orrent 𝙳ownload" written in weird, stylized Mathematical Alphanumeric Symbols, run. The researchers noted this "character substitution" is a trick that threat actors use to bypass Google’s automated malware scanners and word blacklists.
Safe: Torrent Download
MALICIOUS: 𝚃orrent 𝙳ownload (or 𝘛𝘰𝘳𝘳𝘦𝘯𝘵 𝘋𝘰𝘸𝘯𝘭𝘰𝘢𝘥)
2. The WordPress mismatch
Check the URL. If you are looking for the Marty Supreme movie and the website has a URL sounding like lucys-flower-shop.com/blog/marty-supreme-free-torrent, it’s a trap.
3. The "disable defender" script
If a download contains a file named “Disable Defender.bat” or anything similar asking you to turn off your antivirus, this is an immediate red flag. There is zero reason a movie file needs your security disabled.
4. The "XMPEG" or "Codec" installer
If the torrent includes an .exe or an installer like xmpeg_setup.exe claiming you need it to "play the video file" – run. Modern players like VLC or MPC-HC can play almost anything. If a "video" needs an installer, it’s not a video, but malware for sure.
5. Password-protected archives
Does the movie come in a .zip or .rar that requires a password found in a .txt file? It is another red flag to look out for. Threat actors use this technique specifically to prevent your PC’s antivirus software from "seeing" the malware inside the folder until you extract it.
Why are people still falling for the “free movies” scam?
"The detected campaign is easily identified as malicious by anyone who is computer literate. This is an old tactic used for over 10 years," our researchers noted. So the question remains, why is it working in 2026?
The answer lies in the spreading popularity of cryptocurrencies. Over the last five years, a wave of "pump and dump" schemes and aggressive exchange marketing has brought millions of non-technical users into the crypto space. They have the money, they have the wallets, but they might not always have the skills to identify the risks.
The Efimer campaign is a cold reminder. In the digital age, "free" usually carries the highest price tag. If a random WordPress site is offering you a 4K copy of Hamnet that requires you to disable your firewall, it might sound too weird to be true. And it most definitely is.
How to spot Efimer Malware
However, we want to reiterate that using torrent trackers always carries some risks, including downloading unauthorized copies of movies or software and exposure to malware or other security threats.
To avoid infecting your devices, always use legitimate vendors, streaming platforms, and authorized distributors. The information we provide here is for user education, with the intent to help prevent your data or wealth from ending up in scammer hands.
What to do if you have been infected by Efimer malware?
If you clicked "Download" on that Oscar movie rip, the situation is straightforward. Simply put, if you have executed the file, your machine is compromised. Here is what you can do to get back to safety:
- Run a full-system antivirus scan to detect and delete installed malware
- Reinstall a fresh copy of Windows if needed
- To protect your assets, do not access your crypto wallets from the infected machine. On a separate device, generate a new wallet and sweep your remaining funds into it immediately. Consider the old wallet to be burned.
Meanwhile, if you’re a WordPress admin, your site might be exploited by this campaign. Check your backend immediately for unauthorized posts, weird comments, or "ghost" pages you didn't create. If you find them:
- Delete every unauthorized post or plugin
- Patch WordPress and every single plugin to the latest version
- Reset your administrator and database passwords immediately
How did we track Efimer?
To track Efimer, Cybernews researchers analyzed publicly available search results for this year's top films using automated tools.
They then filtered the noise by stripping out social media, known torrent hubs, and "dead" compromised sites that no longer hosted active payloads. What remained was a verified list of malicious mirrors serving live malware.
Because Google’s algorithm is a black box that serves different results to different users, this map is likely just the tip of the iceberg.
“We cannot be certain that Google hasn’t indexed malicious torrent download pages that weren't observed in this research,” our researchers said.
The team has not manually reverse-engineered the detected malware. Instead, they cross-referenced the samples against existing antivirus metadata and known threat intelligence.
The digital fingerprints matched – this is the same Efimer campaign that has been haunting the web since 2024.
Research timeline
February 10th, 2026: Start of the investigation, exploring different ways to identify malicious torrents
February 12th, 2026: Identified Google Searches as the most likely vector to download malicious torrent files hosted on compromised WordPress Sites, Malware analysis, and identification
February 17th, 2026: Gathering the Google Search results with queries for each Oscar's best picture nominee
March 2nd, 2026: Filtering Google Search results to build a dataset of only results containing links to compromised sites hosting malicious downloads
Indicators of compromise
| File name | SHA-256 Checksum |
|---|---|
| movie_33463_data.torrent | 3cc283d3d50fc84bea4f3899dcc813a13e26829cfd7f11a0460048ca125ccc7b |
| Install Codec.zip | a849d344310ecccf6cdb7c027d0f15ee63f63c9cd0bfeac3b3efd34f32d8251d |
| xmpeg_v4085_x1.exe | e1924a6288e3fe2492c51d64aea9ee8e60f6e5f2ddcdca60a5bfb159cf4d6d44 |
| Link | Description |
|---|---|
| http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisa d[.]onion | Malware Command and Control server |
Unique text formatting on compromised WordPress sites
| Plain text | Rendered text | Raw text |
| Torrent Download | 𝚃orrent 𝙳ownload | To\ud835\ude9brent Dow\ud835\ude97l\ud835\ude98ad |
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked