Operation SilentCanvas: When a JPEG Becomes a Trojan Horse
A file named “sysupdate.jpeg” sitting in your Downloads folder sounds harmless, but Operation SilentCanvas proves otherwise. In this campaign, attackers convert what look like ordinary JPEGs into a powerful JPEG trojan horse, actually a PowerShell script attack wrapped in an image extension. These files don’t contain proper JPEG headers, yet they can still slip past basic checks that trust familiar formats like .jpeg. Once opened in the wrong way (for example, executed instead of simply viewed), they kick off a stealthy infection chain. This approach exploits human trust as much as technical blind spots: users and even some tools assume images are safe, so they’re less scrutinized than executables. The result is a perfect delivery vehicle for a remote access trojan that can be planted on Windows systems with minimal suspicion and very few visible warning signs.
Inside the Attack Chain: From Fake Image to Full System Takeover
Once the disguised JPEG is executed, the embedded PowerShell script silently creates a hidden C:\Systems folder and reaches out to a remote server at legitserver.theworkpc[.]com over TCP port 5443. It downloads a trojanized ScreenConnect package into C:\ProgramData\OneDriveServer\, turning a legitimate remote support tool into a remote access trojan. The malware also pulls down a secondary “access.jpeg” payload that runs entirely in memory, helping it evade disk-based antivirus scans. To gain admin rights without alerts, it hijacks the ms-settings registry key to launch ComputerDefaults.exe, achieving a silent UAC bypass before wiping its tracks within about two seconds. From there, attackers can monitor the screen, capture keystrokes, tap the microphone and camera, steal clipboard data, and exfiltrate files through encrypted channels while a persistent “OneDriveServers” service ensures the malware survives reboots.
Why You Can’t Spot Malicious JPEGs by Sight Alone
One of the most dangerous aspects of this PowerShell script attack is that you cannot visually distinguish a poisoned JPEG from a real image. The file icon, name, and extension all look normal, and even a thumbnail preview may appear harmless. The trick lies under the hood: instead of valid JPEG headers and image data, the file contains script code or malformed content designed to be executed, not viewed. Because many users trust images implicitly, they might double-click attachments or download “update” graphics sent via email without thinking twice. Operation SilentCanvas takes advantage of phishing emails that impersonate official notices or software updates, attaching weaponized JPEG files. Unless you inspect the file’s properties, use specialized tools, or rely on strong security monitoring, these malicious files blend seamlessly into everyday documents, making traditional visual checks almost useless for detecting a JPEG trojan horse.
How Operation SilentCanvas Reaches You: Phishing and Fake Updates
Attackers behind Operation SilentCanvas rely heavily on social engineering to deliver their payloads. Many victims first encounter these JPEG trojan horse files through phishing messages that pose as official notices, such as Social Security Administration alerts, or as urgent software update reminders. These emails often pressure users to act quickly, encouraging them to open attached “documents” or “update images” that are actually malicious JPEGs. This tactic mirrors broader trends like the ClickFix campaign, where attackers hide shellcode inside PNG images on fake Windows Update pages. By combining believable branding, convincing language, and trusted file types, attackers significantly increase the odds that recipients will bypass caution and open the attachments. Once a user interacts with the file in a way that triggers its execution, the embedded PowerShell script can begin deploying the remote access trojan without any obvious visual cues or pop-up warnings.
Practical Steps to Detect and Block JPEG-Based PowerShell Attacks
Defending against Operation SilentCanvas and similar Windows malware protection challenges requires focusing on behavior, not just file types. First, restrict or disable unnecessary PowerShell script execution, especially for non-admin users, and enable detailed PowerShell logging so suspicious scripts are recorded and alerted on. Turn on and keep Windows Defender (or another reputable antivirus) real-time protection active, ensuring it scans downloads and monitors memory activity, not just files on disk. Use application whitelisting to block abuse of trusted binaries like csc.exe and ComputerDefaults.exe, which attackers leverage for silent UAC bypass. In corporate environments, tightly control remote management tools such as ScreenConnect, allowing them only from known, approved servers. For everyday users, never run or open unsolicited attachments, even if they appear to be images; verify the sender and context first. If you suspect exposure, immediately reset stored credentials and check for C:\Systems and C:\ProgramData\OneDriveServer directories, removing any unknown services tied to them.