A sophisticated new cyberattack campaign is targeting Windows systems using a fake image file to sneak dangerous malware past security defenses. The operation, named Operation SilentCanvas, tricks victims into running a malicious PowerShell script disguised as a harmless JPEG photo, ultimately handing attackers full and silent control of the infected machine.
The attack begins when a victim receives what appears to be a routine image file called sysupdate.jpeg through a phishing email, a fake software update prompt, or a deceptive file-sharing link.
Despite carrying a .jpeg extension, the file contains no actual image data. Instead, it holds a PowerShell script engineered to quietly set up a staging environment and pull down additional malicious components from attacker-controlled servers.
Researchers at Cyfirma identified and analyzed the full attack chain, revealing just how deep the intrusion goes once the file is opened. The campaign does not rely on a single trick but chains together multiple advanced techniques to avoid detection and maintain a firm foothold inside targeted environments.
Once the initial file runs, the malware downloads a trojanized version of ConnectWise ScreenConnect, a legitimate remote access tool widely used across enterprise networks. The altered version gives attackers a persistent hidden back door while appearing to blend in with trusted software already present on the system.
The threat also gains elevated privileges without triggering any visible security warning. It does this through a fileless technique that manipulates a Windows registry path and abuses a trusted Windows binary to silently bypass the standard User Account Control prompt.
How the Weaponized JPEG Deploys the Malware
The sysupdate.jpeg file lacks the standard image header that all real JPEG files carry. When a victim opens it, Windows does not flag it as a script because the extension mimics an image.
The embedded PowerShell code creates a hidden folder at C:\Systems and downloads a trojanized ScreenConnect package from legitserver.theworkpc[.]com over TCP port 5443.
To avoid antivirus detection, the malware reconstructs dangerous command strings at runtime rather than writing them plainly in the file. It also downloads a secondary payload named access.jpeg and runs it directly in memory, so no suspicious executable touches the disk.
Microsoft’s own .NET compiler, csc.exe, then builds a custom launcher named uds.exe directly on the victim machine, giving each compiled binary a unique fingerprint that defeats signature-based scanning.
Multi-Stage Infection Chain Overview (Source – Cyfirma)
The multi-Stage infection chain shows the end-to-end attack workflow beginning with social engineering and weaponized JPEG delivery, followed by PowerShell payload execution, AMSI bypass, and trojanized ScreenConnect deployment.
After the launcher runs, the malware hijacks a registry key tied to the ms-settings protocol and redirects it toward uds.exe. It then triggers ComputerDefaults.exe, a trusted Windows binary that auto-elevates, causing the payload to run with full administrator rights and no visible prompt. The registry key enabling this bypass is deleted within two seconds, destroying evidence before any investigator can find it.
Post-Compromise Capabilities and Persistence
Once the trojanized ScreenConnect framework is active, the attacker gains remarkable control over the infected machine. The modified software supports real-time screen monitoring, video recording, microphone capture, clipboard interception, keystroke logging, and silent file transfers through an encrypted channel designed to block network inspection.
Hex-level static analysis of the weaponized sysupdate.jpeg payload (Source – Cyfirma)
The hex-level static analysis of the weaponized sysupdate.jpeg payload shows the embedded PowerShell staging logic and malicious infrastructure references.
The malware creates a hidden desktop environment operating out of the logged-in user’s view, allowing the attacker to run tools without detection. A persistent Windows service named OneDriveServers keeps the malware alive across reboots.
A separate component intercepts usernames and passwords at the Windows login screen before they reach the authentication system, and hidden local administrator accounts can be created for long-term access.
Security teams are advised to block or closely monitor execution of commonly abused Windows binaries including csc.exe, cvtres.exe, and ComputerDefaults.exe. Organizations should enforce strict controls over remote access platforms, deploy detection rules for suspicious PowerShell behavior, and isolate any system showing unexpected ScreenConnect activity. Credential resets for all privileged accounts are strongly recommended following any suspected exposure.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionIP Address45[.]138[.]16[.]64Attacker-controlled C2 backend IP address — BlockDomainlegitserver[.]theworkpc[.]comAttacker-controlled C2 domain used for payload delivery and remote sessions — BlockSHA2567adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3Malicious payload hash — BlockSHA256ecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11dfMalicious payload hash — BlockSHA256cea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35Malicious payload hash — BlockSHA256906c2ed24ca9b46e4c9f3bb4a65c640795bfc1a56c0b56485b849ccd97027eed7ad9aa78a732a4fMalicious payload hash — BlockSHA256ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79Malicious payload hash — BlockSHA2564d8ac85c5b98c69ba44146df61183e9bf613edd796aa516c3ae73611b7d77c06Malicious payload hash — BlockMD57DD05336097E5A833F03A63D3221494Fuds.exe compiled dropper hash — BlockSHA256A635F0C94C98B658AE799978994F0D0A292567CD97B8A19068A8423D1297652Auds.exe compiled dropper hash — BlockFile Namesysupdate.jpegWeaponized PowerShell loader disguised as JPEGFile Nameaccess.jpegSecondary obfuscated in-memory payloadFile Nameuds.exeOn-host compiled malicious launcher binaryFile PathC:\SystemsAttacker staging directory created on victim machineFile PathC:\ProgramData\OneDriveServer\Trojanized ScreenConnect deployment directory
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware appeared first on Cyber Security News.
