CYFIRMA researchers said attackers are using a weaponised JPEG file to install trojanised ScreenContact remote-access malware in a new Windows campaign called “Operation SilentCanvas.”
The attack starts with a file named “sysupdate.jpeg,” distributed through phishing emails, fake software updates or deceptive file-sharing links, the source content said.
Despite its .jpeg extension, the file contains no image data. It carries a malicious PowerShell script that creates a hidden “C:\systems” folder and downloads the malware.
CYFIRMA said the malware avoids detection by dynamically rebuilding commands, running additional files in memory, and using Microsoft’s .NET compiler tool, “csc.exe,” to create custom payloads on infected computers.
Read: 149 Million Passwords Exposed in Infostealer Data Leak, Google Confirms
The campaign also abuses “ComputerDefaults.exe,” a trusted Windows binary, to bypass User Account Control and gain administrative privileges without triggering a visible security prompt.
After installation, attackers can remotely monitor the screen, record video, capture microphone audio, log keystrokes and transfer files.
CYFIRMA advised defenders to monitor or restrict “csc.exe,” “cvtres.exe” and “ComputerDefaults.exe,” enforce controls on remote-access tools and isolate systems showing unexpected ScreenContact activity.
