Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
GPT-5.6 Codex Bug Deletes Files From Home Directories
July 17, 2026
Critical TP-Link Tapo Camera Vulnerability Lets Attackers Hijack Devices
July 17, 2026
CISA Warns of Critical Fortinet FortiSandbox OS Injection Flaws Exploited in Attacks
July 17, 2026
Home/Threats/Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware
Threats

Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware

Key Takeaways A new sophisticated cyberattack, dubbed “Operation SilentCanvas,” is actively exploiting Windows systems. Attackers are using weaponized JPEG files to deliver a multi-stage...

Jennifer sherman
Jennifer sherman
May 11, 2026 5 Min Read
47 0

Key Takeaways

  • A new sophisticated cyberattack, dubbed “Operation SilentCanvas,” is actively exploiting Windows systems.
  • Attackers are using weaponized JPEG files to deliver a multi-stage PowerShell intrusion that ultimately installs a trojanized version of ConnectWise ScreenConnect.
  • The campaign employs advanced evasion techniques, including fileless execution, runtime command reconstruction, and a User Account Control (UAC) bypass that deletes evidence within seconds.
  • Once compromised, attackers gain extensive control, including screen monitoring, keystroke logging, and the ability to create hidden administrator accounts for persistence.
  • Defenders should focus on enhancing endpoint detection, enforcing strict remote access controls, and monitoring for suspicious PowerShell and legitimate binary execution.

A sophisticated new cyberattack campaign, dubbed “Operation SilentCanvas,” is currently targeting Windows systems with a highly deceptive tactic. This operation manipulates victims into executing a malicious PowerShell script cleverly disguised as an innocuous JPEG image file. Upon successful execution, this covert script deploys dangerous malware, granting attackers silent and complete control over the compromised machine. Security researchers have published a comprehensive report detailing the intricate nature of this threat.

Table Of Content

  • Key Takeaways
  • How the Weaponized JPEG Deploys the Malware
  • Post-Compromise Capabilities and Persistence
  • What You Should Do

The attack chain initiates when a user receives what appears to be a standard image file named “sysupdate.jpeg.” This malicious file is typically delivered through common social engineering vectors such as phishing emails, fake software update prompts, or deceptive file-sharing links.

Despite its .jpeg extension, the file contains no actual image data. Instead, it embeds a PowerShell script meticulously crafted to establish a hidden staging environment and retrieve additional malicious components from servers controlled by the attackers. Researchers at Cyfirma meticulously identified and analyzed the complete attack chain, revealing the profound depth of intrusion once the initial file is opened. This campaign relies on a complex sequence of advanced techniques designed to evade detection and maintain a persistent foothold within targeted environments.

Following the execution of the initial file, the malware proceeds to download a trojanized version of ConnectWise ScreenConnect. This legitimate remote access tool is widely utilized across enterprise networks. The modified version provides attackers with a persistent, clandestine backdoor, all while appearing to be a trusted application already present on the system.

Furthermore, the threat achieves elevated privileges without triggering any visible security alerts. It accomplishes this through a fileless technique that manipulates a specific Windows registry path and abuses a trusted Windows binary to silently bypass the standard User Account Control (UAC) prompt.

How the Weaponized JPEG Deploys the Malware

The “sysupdate.jpeg” file notably lacks the standard image header characteristic of legitimate JPEG files. When a victim attempts to open it, Windows fails to flag it as a script because the file extension mimics that of an image, deceiving the operating system’s initial checks.

The embedded PowerShell code then creates a hidden directory at C:Systems and downloads a trojanized ScreenConnect package from legitserver.theworkpc[.]com over TCP port 5443. To further circumvent antivirus detection, the malware dynamically reconstructs dangerous command strings at runtime, rather than storing them in plain text within the file. It also downloads a secondary payload, named “access.jpeg,” and executes it directly in memory, ensuring no suspicious executable is written to disk.

Microsoft’s own .NET compiler, csc.exe, is then leveraged to build a custom launcher named uds.exe directly on the victim’s machine. This method gives each compiled binary a unique fingerprint, effectively defeating signature-based scanning mechanisms.

Multi-Stage Infection Chain Overview (Source - Cyfirma)
Multi-Stage Infection Chain Overview (Source – Cyfirma)

This multi-stage infection chain illustrates the end-to-end attack workflow, starting with social engineering and the delivery of the weaponized JPEG. This is followed by PowerShell payload execution, an AMSI bypass, and the ultimate deployment of the trojanized ScreenConnect.

After the custom launcher executes, the malware hijacks a registry key associated with the ms-settings protocol, redirecting it to point to uds.exe. It then triggers ComputerDefaults.exe, a trusted Windows binary that automatically elevates privileges, allowing the payload to run with full administrator rights without any visible prompt. Critically, the registry key enabling this bypass is deleted within two seconds, effectively eradicating forensic evidence before investigators can discover it.

Post-Compromise Capabilities and Persistence

Once the trojanized ConnectWise ScreenConnect framework is active, the attackers gain extensive control over the compromised machine. The modified software enables real-time screen monitoring, video recording, microphone capture, clipboard interception, keystroke logging, and silent file transfers through an encrypted channel specifically designed to thwart network inspection.

Hex-level static analysis of the weaponized sysupdate.jpeg payload (Source - Cyfirma)
Hex-level static analysis of the weaponized sysupdate.jpeg payload (Source – Cyfirma)

A hex-level static analysis of the weaponized sysupdate.jpeg payload clearly reveals the embedded PowerShell staging logic and references to the malicious infrastructure.

The malware establishes a hidden desktop environment that operates outside the logged-in user’s view, allowing the attacker to execute tools undetected. A persistent Windows service named “OneDriveServers” ensures the malware survives system reboots. Additionally, a separate component is designed to intercept usernames and passwords directly at the Windows login screen before they reach the authentication system. Attackers can also create hidden local administrator accounts to maintain long-term access to the compromised system.

What You Should Do

  • Enhance Endpoint Detection and Response (EDR): Implement and configure EDR solutions to detect anomalous process behavior, especially concerning PowerShell execution and the use of legitimate Windows binaries (csc.exe, cvtres.exe, ComputerDefaults.exe).
  • Strengthen Email and Web Security: Deploy advanced email filtering and web security gateways to block phishing attempts and prevent the download of malicious files disguised as benign content.
  • Implement Application Whitelisting: Consider application whitelisting to restrict the execution of unauthorized software, limiting the ability of attackers to deploy their payloads.
  • Monitor Remote Access Tools: Enforce strict controls and vigilant monitoring over all remote access platforms, including ConnectWise ScreenConnect. Look for unusual connection patterns or modifications.
  • User Account Control (UAC) Best Practices: While this attack bypasses UAC, maintaining UAC at its highest setting remains a crucial defense layer against less sophisticated threats. Educate users about the importance of UAC prompts.
  • Regular Security Awareness Training: Conduct frequent training for employees on recognizing phishing attempts, suspicious file types, and the dangers of opening unsolicited attachments.
  • Isolate Compromised Systems: Immediately isolate any system exhibiting indicators of compromise (IoCs) or unexpected ScreenConnect activity to prevent lateral movement.
  • Credential Reset: Following any suspected exposure, promptly reset credentials for all privileged accounts and enforce multi-factor authentication (MFA) across the organization.
  • Review Indicators of Compromise (IoCs): Integrate the following IoCs into your security tools (SIEM, EDR, firewalls) for proactive detection and blocking:
    • IP Address: 45[.]138[.]16[.]64 (Attacker-controlled C2 backend IP address — Block)
    • Domain: legitserver[.]theworkpc[.]com (Attacker-controlled C2 domain used for payload delivery and remote sessions — Block)
    • SHA256 Hashes:
      • 7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3
      • ecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11df
      • cea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35
      • 906c2ed24ca9b46e4c9f3bb4a65c640795bfc1a56c0b56485b849ccd97027eed7ad9aa78a732a4f
      • ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79
      • 4d8ac85c5b98c69ba44146df61183e9bf613edd796aa516c3ae73611b7d77c06
      • A635F0C94C98B658AE799978994F0D0A292567CD97B8A19068A8423D1297652A (uds.exe compiled dropper hash)
    • MD5 Hash: 7DD05336097E5A833F03A63D3221494F (uds.exe compiled dropper hash)
    • File Names: sysupdate.jpeg, access.jpeg, uds.exe
    • File Paths: C:Systems, C:ProgramDataOneDriveServer

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarephishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

macOS Malware Spreads via Google Ads, Claude.ai Shared Chats

Next Post

GhostLock Attack Exploits Windows SMB to Lock Files

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Two Hackers Jailed for Hacking 148 TfL Systems, Forcing 27,000 Staff Password Resets
July 17, 2026
AnyDesk Critical 0-Day Vulnerability Lets Attackers Trigger DoS
July 16, 2026
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us