Fake JPEG file opens a hidden ScreenConnect backdoor into Windows systems

Cybersecurity researchers have identified a new and sophisticated cyberattack campaign targeting Windows systems. The operation, dubbed “Operation SilentCanvas” , uses a malicious payload disguised as a harmless JPEG image file to infiltrate victims’ systems. The primary objective of the campaign is to establish covert and persistent remote access to compromised devices.

According to the research, the attack begins with the delivery of a fake image file named “sysupdate.jpeg” to potential victims. The file is primarily distributed through phishing emails, fraudulent software update notifications or deceptive file-sharing links. Despite carrying a “.jpeg” extension, the file contains no legitimate image data. Instead, it embeds a carefully crafted PowerShell script designed to execute malicious activities covertly.

Technical analysis revealed that once executed, the script creates a hidden staging environment within the system and downloads additional malicious components from attacker-controlled servers. Researchers noted that the campaign combines multiple advanced attack techniques, making detection significantly more difficult.

In the next stage of the attack, a trojanized version of ConnectWise ScreenConnect is deployed onto the victim’s machine. Although ScreenConnect is widely used as a legitimate remote access solution across enterprise environments, the modified version functions as a hidden backdoor for threat actors while blending in with trusted software already present on the system.

Further investigation indicates that the malware is capable of obtaining elevated system privileges without generating any visible security warnings. To achieve this, the attackers employ a fileless attack technique involving manipulation of the Windows Registry and abuse of trusted system binaries to silently bypass the User Account Control (UAC) security mechanism.

To evade antivirus detection, the malware does not store malicious commands in plain text. Instead, command strings are dynamically reconstructed during execution. In addition, a secondary payload named “access.jpeg” is executed directly in memory without being written to disk, further reducing the likelihood of detection.

Researchers also reported that Microsoft’s “csc.exe” .NET compiler is leveraged to generate a custom launcher named “uds.exe” directly on the compromised machine. Since the binary is uniquely compiled on each infected device, signature-based security solutions face increased difficulty in identifying the threat.

During the later stages of the intrusion, the registry key associated with the “ms-settings” protocol is manipulated and the trusted Windows component “ComputerDefaults.exe” is abused to execute the malicious payload with administrator privileges. To eliminate forensic evidence, the registry key used during the bypass process is deleted within seconds.

Once the trojanized ScreenConnect framework becomes active, attackers gain extensive control over the infected system. Capabilities include real-time screen monitoring, video recording, microphone capture, clipboard interception, keystroke logging, and covert file transfers.

The research also highlights that additional malicious components can intercept usernames and passwords at the Windows login screen and create hidden local administrator accounts. This enables attackers to maintain long-term and persistent access to compromised environments.

During the investigation, the IP address 45[.]138[.]16[.]64, the domain legitserver[.]theworkpc[.]com and the MD5 hash value 7DD05336097E5A833F03A63D3221494F were identified as key Indicators of Compromise (IoCs) associated with the attack infrastructure. Security experts recommend blocking the identified IP address and domain at the network level.