It started when security researcher 0xffff0800 found a nasty surprise in the files for the movie The Girl in the Spider’s Web (official trailer – it’s a hacker movie) downloaded from TPB. At that time, the movie had 2,375 seeders.

Instead of a video file, he found a .LNK shortcut that executed a PowerShell command. The icon of the file attracted his attention, so he ran it through VirusTotal antivirus scanning service.

The results returned a low detection rate and indicated a sample of CozyBear, a piece of malware used by an advanced threat actor known by the same name and a few others (APT29, CozyDuke, CozyCar, Grizzly Bear). The group was discovered in 2015 and is still active, targeting Windows platforms.

One of the infection methods still used by the group relies on a weaponized .LNK file that runs a PowerShell command and extracts a script from the shortcut file.

The CozyBear detection was a false one, though. Nick Carr, a member of the FireEye’s Advanced Practices Team, said that weaponized .LNK files are common in pirated content.