The media piracy ecosystem represents a significant attack surface that remains critically understudied. With over a 100 billion visits recorded to piracy sites, it is a lucrative target for attackers to distribute malware disguised as popular content. This is a recurring method in other pirated content such as software or games. These have been studied before, but despite similar effects and a much higher potential audience, malicious media is largely ignored. As the amount of visits to especially media piracy sites is anticipated to increase over time with rising platform costs and spread of popular media over several streaming sites, this is a target that is becoming increasingly lucrative over time.

In order to understand these attacks, we create our own measurement pipeline to understand the nature of the attacks from end to end, starting from scraping popular torrent aggregation sites and downloading the malicious files and tracking the hosts that were involved in seeding and leeching these files, giving us an idea of the infrastructure involved in spreading this malware and also the spread of victims. We find certain methods that attackers use to boost their reach and also other practises around these torrents that inadvertently boost these malicious files.

We also use data from sources such as MagnetDB and work with Iknowwhatyoudownload to get a longitudinal and comprehensive view of malware in media torrents, uncovering campaign that span years. We also analyze over 500 malicious files that we capture and identify the end goals of the malicious parties.