ADVERTISEMENT

Oscars 2026: attackers exploit Best Picture hype for One Battle After Another to spread malware via Google

Your obsession with the Academy Awards might drain your bank account. Cybernews researchers found that illegally downloading this years' Best Picture nominees may result in installing dangerous wallet-draining malware.

one battle after another accept best picture

Best Picture award for "One Battle After Another". Kevin Winter/Getty Images

Paulina Okunytė
Paulina Okunytė Senior Journalist
Mar 12, 2026 Updated: 18 March 2026 7 min read
One after another movie
Google Search results when searching for pirated copies of “One Battle After Another” (malicious keyword filter is used to filter out news posts referring to a different campaign targeting torrents for this movie), containing mostly malicious links to compromised websites.

Google is a trap: attackers are exploiting SEO

Total number of gathered Google Search results
Total number of gathered Google Search results with specific queries for all Best Picture Oscar’s Nominee films
oscars google

The most “dangerous” Oscars 2026 winners and nominees

the most dangerous best picture nominees
The most dangerous Best Picture nominees

How do hackers compromise you via Best Picture nominees?

  1. You download a torrent file titled movie_33463_data.torrent
  2. Inside is a password-protected ZIP to hide from antivirus software and a helpful little script named 1. Disable Defender.bat
  3. Then comes the lie about the codec: “You need this special player to watch the movie.” To back up the deception, there is a fake "video file" and an installer for software called Xmpeg. While Xmpeg is a legitimate open-source tool for converting and encoding video files, this particular version contains malware
  4. Once you install Xmpeg, you install the Efimer malware
Compromised WP site
Malicious torrent download page on a compromised WordPress site

The “red flag” checklist: how to spot the Efimer malware

efimer malware
Any.run file analysis flagging the file as Efimer

1. The "weird text" trick

Malicious link
Malicious torrent download page captcha challenge

2. The WordPress mismatch

3. The "disable defender" script

malicious torrent metadata
Malicious torrent file metadata
ADVERTISEMENT

4. The "XMPEG" or "Codec" installer

Install codec
“2. Install Codec.zip” archive contents, including the password to decrypt the archive - “2025”

5. Password-protected archives

virustotal
VirusTotal detections for the extracted “xmpeg_v4085_x1.exe” file
virustotal 2
VirusTotal Community comments for the xmpeg installer file referencing Efimer

Why are people still falling for the “free movies” scam?

How to spot Efimer Malware

how to spot efimer malware
How to spot Efimer malware

What to do if you have been infected by Efimer malware?

  • Run a full-system antivirus scan to detect and delete installed malware
  • Reinstall a fresh copy of Windows if needed
  • To protect your assets, do not access your crypto wallets from the infected machine. On a separate device, generate a new wallet and sweep your remaining funds into it immediately. Consider the old wallet to be burned.
  • Delete every unauthorized post or plugin
  • Patch WordPress and every single plugin to the latest version
  • Reset your administrator and database passwords immediately

How did we track Efimer?

Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Add us as your Preferred Source on Google.

Research timeline

Indicators of compromise

File nameSHA-256 Checksum
movie_33463_data.torrent3cc283d3d50fc84bea4f3899dcc813a13e26829cfd7f11a0460048ca125ccc7b
Install Codec.zipa849d344310ecccf6cdb7c027d0f15ee63f63c9cd0bfeac3b3efd34f32d8251d
xmpeg_v4085_x1.exee1924a6288e3fe2492c51d64aea9ee8e60f6e5f2ddcdca60a5bfb159cf4d6d44
LinkDescription
http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisa d[.]onionMalware Command and Control server

Unique text formatting on compromised WordPress sites

Plain textRendered textRaw text
Torrent Download𝚃orrent 𝙳ownloadTo\ud835\ude9brent Dow\ud835\ude97l\ud835\ude98ad

ADVERTISEMENT