Beware! New cyberattack campaign uses malicious JPEG file to activate ScreenConnect backdoor

Threat intelligence researchers at Cyfirma have uncovered a highly sophisticated, multi-stage intrusion campaign targeting Windows environments. Dubbed "Operation SilentCanvas," the attack tricks users into executing a weaponized PowerShell payload hidden behind a spoofed image file extension to deploy a persistent, unauthorized remote access backdoor.

The discovery, detailed in a research report published on May 9, 2026, highlights a growing and mature trend where threat actors weaponize trusted, legitimate Remote Monitoring and Management (RMM) tools to blend seamlessly into normal corporate network traffic.

Deceptive delivery via "sysupdate.jpeg"

The attack chain typically begins with social engineering tactics, such as targeted phishing emails, fake software update prompts, or deceptive file-sharing interactions. Victims are lured into downloading a file named sysupdate.jpeg.

While the file extension implies a harmless image, static inspection by Cyfirma revealed that the file completely lacks standard JPEG magic bytes. Instead, it acts as a weaponized JPEG loader containing an obfuscated PowerShell script. By masking the payload as an image, attackers effectively bypass basic file-extension filtering mechanisms and deceive unsuspecting users into running the code.

Silent privilege escalation and evasion

Once a user interacts with the file, the intrusion framework executes fileless attack techniques designed to systematically dismantle Windows security controls:

• UAC and SmartScreen bypass: The malware manipulates Windows Registry keys associated with the ms-settings protocol and hijacks a trusted system binary (ComputerDefaults.exe) to silently elevate its privileges to administrator status without triggering User Account Control warnings. It also strips the "Mark-of-the-Web" tag to evade reputation-based blocking.

• On-the-Fly compilation: To blind signature-based antivirus solutions, the script leverages Microsoft’s native .NET compiler (csc.exe) to dynamically generate a unique launcher binary named uds.exe directly on the victim's machine.

• Memory-Only payloads: Secondary components, such as a file named access.jpeg, are executed directly in memory without ever being written to the hard drive, minimizing the digital footprint left for forensic investigators.

Embedding the ScreenConnect backdoor

After securing administrative execution, the framework creates a hidden staging environment under C:\Systems and drops a heavily modified, trojanized version of ConnectWise ScreenConnect. This is an industry-standard remote administration tool used by IT departments worldwide, so its presence rarely sounds alarms for standard security tools.

However, this rogue instance establishes an encrypted, outbound command-and-control connection over TCP port 8041, turning the legitimate software into an invisible interactive backdoor.

Full system surveillance and long-term hold

Once the ScreenConnect client is active, the threat actors gain total, SYSTEM-level control over the infected machine. The malware's post-exploitation capabilities include:

Real-time screen monitoring, video recording, and microphone capture.

Intercepting usernames and passwords at the Windows login screen.

Arbitrarily executing remote commands and exfiltrating files.

Creating hidden local administrator accounts to guarantee long-term persistence even if the initial loader is discovered.

Defense recommendations

Cyfirma researchers warn that the operational maturity of Operation SilentCanvas presents a severe risk to enterprise networks. Security teams are urged to immediately isolate any endpoints showing unauthorized or unexpected ScreenConnect installation activity, strictly audit administrative registry modifications, and configure behavioral detection rules to flag unapproved PowerShell execution paths.