Microsoft warns of malware-laced ‘John Wick 3,’ ‘Contagion’ movie torrents

The malicious movie files in question don't appear to be on esecially popular sites like the Pirate Bay, one researcher said.
John Wick 3 torrent
A still from "John Wick 3" shows Keanu Reeves as the international assassin riding a horse through New York City (Lionsgate).

Internet scammers are conducting the kind of business that would probably get them in trouble with the inhabitants of the Continental Hotel.

Tens of thousands of internet users in Spain, Mexico and South America have downloaded pirated copies of “John Wick 3” and other movies which come bundled with malicious software, according to a forthcoming Microsoft security warning viewed by CyberScoop.

Since April 11, some bootleg movie files on torrent websites have come with a strain of malware that hackers are using to try to exploit a victim’s machine to generate cryptocurrency. The attempted attacks coincide with a 41% increase in traffic to piracy websites in the U.S., and a 62% increase in Spain, since February, according to the British anti-piracy firm Muso.

Thousands of users continue to download pirated files of “John Wick 3,” and Spanish-language titles including “Punalies Por La Espalda” and “Contagio,” a Spanish-dubbed version of the pandemic-themed Steven Soderbergh movie “Contagion.”


“Lots of people are stuck at home looking to fill time, and not everyone is going to watch only what’s available through [streaming] services,” said Tanmay Ganacharya, director of security research of Microsoft Threat Protection. “Attackers use some popular movies as lures. And then they ensure that their malicious payload is part of the overall packages that a user ends up downloading.”

“John Wick 3” is the latest in a series starring Keanu Reeves as an international assassin on the run from a community of professional killers. The movie has been available for purchase or digital rental since last fall.

Meanwhile 2011’s “Contagion” has surged in popularity because of the plot’s resemblance to the real-world spread of COVID-19. The number of requests for “Contagion” on piracy sites skyrocketed by more than 5,600% earlier this year, according to Muso.

Windows Defender, the antivirus program on Microsoft machines, protects users from the malware, Ganacharya added. Malicious file names include “contagio-1080p,” “John_Wick_3_Parabellum,” “Punales_por_la_espalda_BluRay_1080p,” and “La_hija_de_un_ladron” and “lo-dejo-cuando-quiera,” according to Microsoft.

The origin of the attack remains under investigation. The malicious movie files do not appear to be circulating on especially popular torrent websites like the Pirate Bay, Ganacharya said. Attackers have been especially focused on distributing their malware in Spain, where most infections occurred, and then Spanish-speaking countries such as Mexico and Chile.


Scammers do not appear to be targeting U.S. movie pirates with this technique.

Exactly who is behind the hacking effort still is unclear, though it is ongoing. While attackers have inserted malware into the piracy ecosystem in the past, this attack relies on stealthier techniques to try to infiltrate Windows machines.

A typical attack begins with hackers disguising a malicious file in the same .zip folder that includes a movie torrent. When a victim opens a .zip file saved from a piracy site, they also trigger a malicious VBScript, a text file. That VBScript then uses BITSAdmin, a legitimate Microsoft protocol, to download a second-stage component, then tries to inject a coin-mining code into the machine’s memory.

“The mining would go on forever,” Ganacharya said. “This isn’t as in your face as ransomware would be. You wouldn’t even notice it unless you somehow checked why your computer started running slower.”

Latest Podcasts