On March 20th, a seemingly legitimate blog post on the TeamEsteem website promoted a pirated version of the 2025 Snow White movie. The post included a torrent link that appeared harmless but was actually a malicious campaign designed to infect users’ devices. Researchers found that the torrent package contained three files, one of which was the dangerous “xmph_codec.exe” disguised as a necessary codec for playing the movie.
When users downloaded the torrent, they unknowingly executed the malicious file, which disabled Windows Defender and other security protections. This allowed the malware to install additional harmful files and even download the TOR browser, providing attackers with access to the Dark Web. The malware communicated with a hidden server on a .onion address, making it difficult for security tools to track or block it.
The attackers behind the campaign likely used either an outdated version of the Yoast SEO plugin or stolen admin credentials to post the malicious blog entry on TeamEsteemMethod.com. Team Esteem, a US-based organization that assists parents and educators, had its website exploited to spread malware under the guise of a movie torrent. The attackers capitalized on the popularity of the Snow White movie to lure victims into downloading the harmful file.
This is not the first time that cybercriminals have used pirated movies as bait. High-demand films like Snow White attract many users seeking free downloads, making them prime targets for malware distribution. Previous attacks have exploited other popular movie releases, showing that downloading pirated content always comes with significant risks.
