Weaponized JPEG File Drops Trojanized ScreenConnect Backdoor on Windows
5 min. read 
Published on
A new malware campaign called Operation SilentCanvas is using a file disguised as a JPEG image to deploy a trojanized version of ConnectWise ScreenConnect on Windows systems. The attack uses social engineering, PowerShell, and trusted Windows tools to gain stealthy remote access.
Security researchers at CYFIRMA said the campaign starts with a file named sysupdate.jpeg. Although it appears to be an image, the file contains a malicious PowerShell payload that sets up the next stages of the attack.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The goal is not just quick infection. The malware installs a modified remote access framework that can support surveillance, credential theft, hidden desktop activity, command execution, and long-term persistence inside a compromised environment.
Operation SilentCanvas hides malware behind a fake image
The attack likely reaches victims through phishing emails, fake update prompts, malicious attachments, or deceptive file-sharing links. The filename helps lower suspicion because many users treat image files as harmless.
Once the victim runs the disguised file, the PowerShell payload creates a staging folder on the system and starts downloading additional components from attacker-controlled infrastructure.
CYFIRMA said the malware uses the domain legitserver.theworkpc[.]com and communicates over non-standard ports, including 5443 and 8041. The campaign also uses encryption to hide command-and-control traffic.
Key facts at a glance
| Item | Details |
|---|---|
| Campaign name | Operation SilentCanvas |
| Main lure | sysupdate.jpeg |
| Initial payload | PowerShell script disguised as an image file |
| Target platform | Windows |
| Remote access tool abused | ConnectWise ScreenConnect |
| Persistence service name | OneDriveServers |
| Commonly abused Windows tools | csc.exe, cvtres.exe, ComputerDefaults.exe |
| Main risk | Remote access, credential theft, surveillance, and lateral movement |
How the infection chain works
The PowerShell payload creates a hidden staging folder and downloads a trojanized ScreenConnect package. ScreenConnect is a legitimate remote access tool, but attackers can abuse modified versions to blend malicious activity with trusted enterprise software.
The malware also downloads another payload named access.jpeg and runs parts of the attack in memory. This reduces the number of obvious executable files written to disk and makes the infection harder to detect with simple file scanning.
To avoid static detection, the malware reconstructs dangerous command strings at runtime. It also uses Microsoft’s legitimate .NET compiler, csc.exe, to build a custom launcher directly on the victim’s machine.
The malware uses Windows tools to bypass UAC
After compiling the launcher, the malware abuses the ms-settings protocol registry path and triggers ComputerDefaults.exe. This technique lets the payload run with elevated privileges without showing the usual User Account Control prompt.
The registry change is temporary. The malware removes the key within seconds, which makes forensic review harder if investigators arrive after execution.
This living-off-the-land approach matters because the attack does not depend only on unknown malware files. It also relies on trusted Windows binaries that many organizations allow by default.
Trojanized ScreenConnect gives attackers remote control
Once deployed, the modified ScreenConnect framework gives attackers persistent access to the infected system. CYFIRMA said the malware can support remote command execution, file transfer, hidden desktop interaction, and SYSTEM-level execution.
The framework also includes surveillance capabilities. Researchers found support for screen capture, screen recording, microphone capture, speaker audio capture, clipboard monitoring, and print job interception.
The campaign also includes credential theft features, including credential provider interception and plaintext credential harvesting. This makes the infection especially dangerous on enterprise workstations and administrator machines.
Why the attack is difficult to detect
Operation SilentCanvas combines several evasion methods in one chain. It uses PowerShell, in-memory execution, dynamic compilation, signed binary abuse, registry-based privilege escalation, and encrypted command-and-control channels.
Security tools may miss the attack if they focus only on obvious executable downloads. The malware builds parts of itself locally and hides behind tools that already exist on Windows systems.
The use of ScreenConnect also complicates detection. Many companies use remote monitoring and management tools for legitimate IT support, so defenders must separate approved remote access from unexpected or modified deployments.
What security teams should monitor
- Unexpected execution of files named sysupdate.jpeg or access.jpeg.
- PowerShell activity launched from user download folders or email attachment paths.
- New folders such as C:\Systems or C:\ProgramData\OneDriveServer\.
- Unexpected ScreenConnect activity on systems that do not normally use it.
- Execution of csc.exe, cvtres.exe, or ComputerDefaults.exe from unusual parent processes.
- Changes to the ms-settings registry path used for UAC bypass attempts.
- New Windows services using names that mimic Microsoft or OneDrive components.
- Outbound traffic to legitserver.theworkpc[.]com or 45[.]138[.]16[.]64.
What organizations should do now
Organizations should restrict unmanaged PowerShell execution and review which users can run scripts from temporary, download, and email attachment locations. Blocking or tightly monitoring csc.exe and related compiler activity can also reduce risk.
Remote access platforms need stronger control. Security teams should maintain an approved inventory of ScreenConnect deployments and investigate any unknown installation immediately.
If a system shows signs of this campaign, teams should isolate it, collect forensic evidence, remove suspicious services, terminate malicious PowerShell activity, and rotate privileged credentials that may have been exposed.
FAQ
Operation SilentCanvas is a malware campaign that uses a PowerShell payload disguised as a JPEG file to deploy a trojanized ScreenConnect remote access framework on Windows systems.
No. Researchers said the file does not behave like a normal JPEG image. It contains malicious PowerShell logic designed to start the infection chain.
It can give attackers remote access, command execution, file transfer, credential interception, screen capture, audio capture, clipboard monitoring, and long-term persistence.
It abuses the ms-settings registry path and ComputerDefaults.exe to perform a fileless UAC bypass, allowing elevated execution without a visible prompt.
Summary
- Operation SilentCanvas uses a file named sysupdate.jpeg to hide a PowerShell payload.
- The attack deploys a trojanized version of ConnectWise ScreenConnect.
- The malware abuses csc.exe, cvtres.exe, and ComputerDefaults.exe to evade detection and elevate privileges.
- The framework supports credential theft, remote commands, surveillance, file transfer, and persistence.
- Security teams should monitor suspicious PowerShell, ScreenConnect activity, UAC bypass traces, and unexpected Windows services.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages