Operation SilentCanvas: When a JPEG Is Really a Trojan
A file named sysupdate.jpeg sitting harmlessly in your Downloads folder might not be a photo at all. In Operation SilentCanvas, attackers disguise PowerShell scripts as JPEG files to launch a stealthy JPEG trojan attack on Windows PCs. These booby‑trapped files lack proper JPEG headers yet still bypass basic Windows security checks, abusing the trust users place in common image formats. Once opened or executed in the right context, the script quietly creates hidden folders and begins downloading additional malware in the background. Because the file looks like an ordinary image, users are less suspicious, and traditional filters may not flag it as dangerous. This Windows security bypass technique gives attackers a foothold on the system without raising obvious alarms. The result is a powerful remote access trojan delivered through what appears to be a simple picture.
Inside the Multi‑Stage Attack Chain and Windows Security Bypass
Operation SilentCanvas uses a layered attack chain to turn fake images into full‑blown remote access tools. Once the disguised PowerShell script runs, it creates a C:\Systems directory and pulls down a trojanized ScreenConnect package from a remote server over TCP port 5443. A second payload named access.jpeg is then downloaded and executed entirely in memory, helping the malware in image files evade disk‑based antivirus scans. To escalate privileges, the malware hijacks the ms-settings registry key to silently launch ComputerDefaults.exe, gaining administrative rights without triggering a visible User Account Control prompt. This registry key self‑destructs within two seconds, erasing obvious traces of the Windows security bypass. By chaining fileless execution, encrypted network traffic, and abuse of trusted Windows binaries, the attackers make detection significantly harder than with conventional malware.
From Fake JPEG to Full Remote Control of Your PC
Once installed, the trojanized ScreenConnect package transforms a compromised PC into a remote access trojan platform. Deployed under C:\ProgramData\OneDriveServer\ and registered as an OneDriveServers service, it persists across reboots and runs silently in the background. Attackers gain the ability to monitor your screen in real time, log keystrokes, capture microphone and camera input, and steal clipboard data. They can also exfiltrate files over encrypted channels, enabling data theft and further compromise. With this level of control, an attacker can move laterally across a network, harvesting credentials and accessing other systems that trust the infected machine. Because the tool itself resembles legitimate remote support software, it can blend into normal IT workflows unless administrators are explicitly monitoring for unauthorized remote management activity.
How Fake Government Emails and Updates Deliver Malicious Images
Operation SilentCanvas relies heavily on social engineering to get users to open malicious image files. Phishing emails pretend to be official notices, such as messages impersonating Social Security Administration communications or urgent software update alerts. These emails often contain links or attachments labeled as documentation or update images, enticing users to download and open what looks like a harmless JPEG. Similar to other campaigns like ClickFix, which hides shellcode in PNG files on fake Windows Update pages, attackers exploit familiar brands and system prompts to reduce suspicion. Because the payload appears to be an image, users may forward it internally or store it on shared drives, helping the malware in image files spread within organizations. This combination of realistic branding and unusual file trickery makes user awareness a critical line of defense.
Practical Steps to Detect and Block JPEG Trojan Attacks
Defending against this JPEG trojan attack requires both technical controls and user habits. On the technical side, enable detailed PowerShell logging and monitor for scripts launched from unexpected file types like .jpeg. Use application whitelisting to block abuse of system binaries such as csc.exe and ComputerDefaults.exe, and tightly control remote management tools like ScreenConnect, allowing them only from known, authorized sources. On the user side, avoid downloading images or updates from untrusted links, and verify file authenticity—especially if a “photo” claims to be a system update or government notice. Keep Windows Defender and other security tools updated so new detection rules can catch emerging tactics. Email filtering, combined with regular user awareness training on phishing and suspicious attachments, significantly reduces the risk of a Windows security bypass through weaponized image files.