Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has ever released. It’s such an embarrassment that the movie isn’t even available on Disney’s own streaming platform, Disney+.
According to cybersecurity researchers at Veriti, scammers are exploiting the situation by offering pirated versions of Snow White, specifically targeting torrent users and tricking them into downloading malware.
The Lure of a Pirated Download
On March 20th, what initially appeared to be a legitimate blog post on the website “TeamEsteem” (teamesteemmethodcom) offered a pirated version of the 2025 Snow White movie. The post provided a magnet torrent link that appeared safe but was actually a trap. Researchers identified the torrent file as a malicious campaign designed to compromise users’ devices.
According to the company’s blog post shared with Hackread.com, the torrent link led to a package of three files. While it might have seemed like a standard movie download, it was anything but. Veriti found that 45 people were already sharing or “seeding” the file, which could include both unsuspecting victims and attackers working to spread the trap faster.
A Fake Codec That “Spells” Trouble
When users downloaded the torrent, they didn’t get a movie. Instead, they got a bundle of files, including a README document and a suspicious file named “xmph_codec.exe.” The README claimed the codec file was necessary to play the movie, a common trick used in the early days of online piracy to fool users into installing malicious software.
However, in this case, running the “codec” file triggered a chain of malicious actions on the user’s device, including the following:
- Disables Security: It shuts down Windows Defender and other built-in protections, leaving the device wide open to more attacks.
- Installs Malware: The file was flagged as malicious by 50 out of 73 security tools on VirusTotal, a popular platform for analyzing suspicious files.
- Drops More Threats: It quietly adds additional harmful files to the system, setting the stage for further damage.
- Installs TOR Browser: It downloads and installs the TOR browser, a tool often used to access the Dark Web, without the user’s knowledge.
- Connects to the Dark Web: The malware communicates with a hidden server on the Dark Web (using a .onion address), making it hard for security tools to track or block it.
In short, what looked like a free movie exposes users to data theft or possibly ransomware.
What’s The Connection with TeamEsteem?
TeamEsteemMethod.com is the official website of Team Esteem, LLC, a US-based organization founded by Jamie Levine, dedicated to assisting parents, schools, and educators in addressing various childhood challenges.
Veriti’s team believes the attackers behind this campaign managed to get their malicious blog post onto the TeamEsteem website in one of two ways: either by exploiting a vulnerability in the outdated version of the Yoast SEO plugin or by using stolen admin credentials to access the website.
The vulnerability in question is CVE-2023-40680, found in the outdated version of the Yoast SEO plugin, a popular SEO tool used by over 10 million WordPress websites. Alternatively, the attackers may have logged into the site using stolen admin credentials to post the fake blog entry themselves.
Either way, the attackers used the site as a medium to trick users into downloading their malware, banking on the hype around Snow White to draw in victims.
Not The First Time
This isn’t the first time cybercriminals have used pirated movies as bait, and it won’t be the last. High-profile releases like Snow White are prime targets because they attract huge interest, especially when legal options are limited. With no streaming release on platforms like Disney+, many fans turn to torrent sites, hoping to save money or time. But as this campaign shows, there’s no such thing as a “free lunch.”
In the past, attackers have exploited the popularity of movies like John Wick 3, Contagion, Black Widow, Joker, Ford v Ferrari, Pirates of the Caribbean, and many others to distribute malware and ransomware.
The good news? You can still avoid falling into traps by avoiding piracy, being cautious with malicious torrents, keeping your anti-malware updated to detect the latest threats, and using common sense.
Review bombing the movie beacuse you are a bigot is not ok. Sickening.