Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
RedLine Stealer C2 Uses 7 Fraudulent Domains in Maritime Phishing Attacks
July 6, 2026
Teen Arrested for Bandai Channel Cyberattack Aided by ChatGPT
July 6, 2026
Gaslight macOS Malware Evades AI Security Analysis With Prompt Injection
July 6, 2026
Home/CyberSecurity News/TrojPix Attack Remotely Exfiltrates Data From Air-Gapped Computers
CyberSecurity News

TrojPix Attack Remotely Exfiltrates Data From Air-Gapped Computers

Key Takeaways A new electromagnetic (EM) attack, dubbed TrojPix, can exfiltrate data from air-gapped systems. The attack exploits subtle EM emissions from standard video cables (HDMI, DVI) by...

Sarah simpson
Sarah simpson
July 6, 2026 4 Min Read
3 0

Key Takeaways

  • A new electromagnetic (EM) attack, dubbed TrojPix, can exfiltrate data from air-gapped systems.
  • The attack exploits subtle EM emissions from standard video cables (HDMI, DVI) by manipulating screen pixels.
  • TrojPix achieves a record data transfer rate of 8.1 Mbps over distances up to 208 meters, even through concrete walls.
  • The technique requires pre-existing malware on the target system but operates without elevated privileges and is visually imperceptible.
  • Mitigation involves EM shielding, jamming, or adopting fiber-optic video interfaces.

TrojPix: Covert Data Exfiltration via Screen Pixels

A groundbreaking electromagnetic (EM) covert-channel attack, named TrojPix, has been developed that can surreptitiously extract sensitive information from air-gapped computers. This innovative method, which will be presented at the 35th USENIX Security Symposium, leverages only the pixels displayed on a victim’s screen to transmit data over distances of up to 208 meters, penetrating physical barriers like concrete walls.

Table Of Content

  • Key Takeaways
  • TrojPix: Covert Data Exfiltration via Screen Pixels
  • How TrojPix Exploits Air-Gapped Systems
  • TrojPix Operational Modes and Resilience
  • What You Should Do

Developed by a research team from Shandong University and Quan Cheng Laboratory, TrojPix represents a substantial advancement in EM covert channels. It boasts an impressive peak throughput of 8.1 Mbps, marking a roughly 27-fold improvement over previous state-of-the-art techniques, all while remaining completely undetectable to the human eye.

How TrojPix Exploits Air-Gapped Systems

Air-gapped systems are critical infrastructure in military, government, financial, and nuclear sectors, designed for maximum confidentiality through physical isolation from external networks. TrojPix circumvents this isolation by transforming ordinary digital video cables into unwitting radio antennas.

The core of the attack relies on manipulating the Transition-Minimized Differential Signaling (TMDS) encoding scheme, which is fundamental to HDMI and similar video interfaces. By making minute, visually imperceptible alterations to pixel values—for instance, modifying the least significant bit of the blue color channel—malware can precisely control the EM emissions radiating from the video cable. These subtle emissions encode data that an attacker can capture remotely using readily available commercial radio equipment.

Crucially, the malware responsible for initiating the TrojPix channel does not require administrator privileges or any hardware modifications, operating entirely within user mode. Its function involves scanning the compromised system for confidential files, determining the monitor’s resolution, and then playing a specially crafted, visually camouflaged “attack video” to establish the covert communication link.

It is important to note that TrojPix functions solely as a data exfiltration channel; it is not a method for initial system compromise. The attack necessitates that malware is already present and executing on the air-gapped machine. TrojPix itself does not provide the initial access. Gaining entry to a physically isolated machine remains the most challenging aspect, typically requiring conventional air-gap infection vectors such as infected USB drives, supply-chain attacks, compromised firmware, or malicious insider activity.

Therefore, the reported 208-meter range signifies the distance from which an attacker can passively receive stolen data once the system has been compromised by other means, not the distance for initial intrusion.

What distinguishes TrojPix is its efficiency and stealth in the final data-theft phase: it is fast, long-range, visually invisible, and requires only low-privilege user-mode access. The attacker’s receiving radio equipment remains entirely external to the target, never making physical contact.

TrojPix Operational Modes and Resilience

The researchers demonstrated two distinct operational modes for TrojPix. In “Fake Screen-Off Mode,” the malware simulates a powered-down display while data transmission continues in the background, pausing instantly upon detection of mouse movement. The “Foreground Embedding Mode” integrates covert data directly into the content currently displayed on screen through pixel-level adjustments that are imperceptible to observers.

To ensure robust performance against noise and interference over extended distances, TrojPix employs a combination of techniques: Pixel-to-Sample Mapping (P2S-Map), matched-filter correlation for synchronization, cross-row resilience coding, and an adaptive decision threshold. For reception, the team utilized a USRP X310 software-defined radio paired with a directional antenna and a low-noise amplifier.

Extensive evaluations across nine monitor brands and fifteen video cables revealed that TrojPix achieved a bit-correct rate nearing 99%, which improved to 100% with the application of forward error correction. The system maintained its performance through a 30-cm concrete wall, across various resolutions and antenna angles, and even with other active monitors nearby. A perceptual study involving 50 volunteers confirmed that none could discern any visual changes before or during the attack.

What You Should Do

  • Implement EM Shielding: While not a complete block, applying Faraday-cage principles through EM shielding can degrade the covert channel’s effectiveness.
  • Consider EM Jamming: Deploying electromagnetic jamming equipment can disrupt the signal, though this is often a costly solution.
  • Adopt Fiber-Optic or Wireless Video Interfaces: The most effective mitigation involves transitioning to video interfaces inherently free from EM leakage, such as fiber-optic or secure wireless connections.
  • Enhance Software Defenses: Implement software solutions that randomize TMDS transmission order or smooth pixel values to reduce exploitable EM leakage.
  • Strengthen Air-Gap Integrity: Reinforce existing air-gap security measures to prevent initial malware infiltration, as TrojPix relies on a pre-compromised system.

The researchers outline several countermeasures, noting that while EM shielding can partially degrade the channel, testing showed success rates remained above 91% even with added shielding, indicating it cannot fully prevent the attack. EM jamming equipment presents another option, albeit an expensive one.

The authors conclude that the most effective mitigation strategy involves adopting EM-leakage-free video interfaces, such as fiber-optic or wireless connections. Additionally, software-based defenses like randomizing TMDS transmission order and smoothing pixel values can help reduce EM leakage. The research team has initiated responsible disclosure with cable manufacturers and has deliberately withheld specific operational attack details to prevent potential misuse.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurity

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Opera GX Bug Lets Attackers Steal User Data

Next Post

Agent Skill Malware Targets AI Models Claude and OpenAI Codex

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Opera GX Bug Lets Attackers Steal User Data
July 6, 2026
Critical OpenAI Vulnerability Exposed Sensitive Prompts and API Activity
July 6, 2026
SSH Honeypots Fail to Detect Post-Login Attacks, Study Finds
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us