When you buy through our links, you’re supporting our mission.

Subscribe
old windows folder icon

Hackers Turn JPEGs Into Trojan Horses for Windows PCs

Fake JPEGs execute PowerShell scripts to install trojanized ScreenConnect via phishing emails targeting Windows users

Nikshep Myle Avatar
Nikshep Myle
Nikshep Myle Avatar
Nikshep Myle
Nikshep Myle has been a dedicated writer for Gadget Review for over 2 years and has contributed his writing to other publications as well, including TechRadar, Tom’s Guide and Android Police. Outside the digital world, Nikshep is a strong believer in optimizing health, well-being, and curiosity. He finds joy in gaming, exploring new music, and embarking on travel adventures. In Nikshep’s world, technology seamlessly intertwines with personal well-being and a vibrant array of interests.
All Articles by Nikshep Myle

Nikshep Myle Avatar

By

Nikshep Myle
Nikshep Myle Avatar
Nikshep Myle
Nikshep Myle has been a dedicated writer for Gadget Review for over 2 years and has contributed his writing to other publications as well, including TechRadar, Tom’s Guide and Android Police. Outside the digital world, Nikshep is a strong believer in optimizing health, well-being, and curiosity. He finds joy in gaming, exploring new music, and embarking on travel adventures. In Nikshep’s world, technology seamlessly intertwines with personal well-being and a vibrant array of interests.

All Articles by

Nikshep Myle

·

2 min read
Image: Deposit Photos

Key Takeaways

Key Takeaways

  • Hackers disguise PowerShell scripts as JPEG files to bypass security defenses
  • Malware hijacks registry keys for silent UAC bypass within two seconds
  • Trojanized ScreenConnect enables complete surveillance through legitimate remote access tool abuse

That innocent “sysupdate.jpeg” file sitting in your downloads folder? It might be a PowerShell script in disguise. Cybersecurity researchers at Cyfirma have uncovered Operation SilentCanvas, a sophisticated campaign where attackers weaponize fake JPEG files to deploy trojanized remote access tools on Windows systems. These malicious files lack proper JPEG headers but slip past basic security checks, exploiting the trust you place in common image formats.

Multi-Stage Attack Chain Bypasses Standard Defenses

The malware creates hidden folders and downloads additional payloads through encrypted channels.

Once executed, the disguised PowerShell script establishes a C:\Systems folder and downloads a trojanized ScreenConnect package from legitserver.theworkpc[.]com via TCP port 5443. The attack doesn’t stop there—it fetches a secondary “access.jpeg” payload that runs entirely in memory, evading disk-based antivirus scans. Most cleverly, it hijacks the ms-settings registry key to trigger ComputerDefaults.exe, achieving silent UAC bypass and administrative privileges before the key self-destructs within two seconds.

Complete System Takeover Through Legitimate Tool Abuse

Attackers gain screen monitoring, keylogging, and file theft capabilities once installed.

The trojanized ScreenConnect, deployed to C:\ProgramData\OneDriveServer\, transforms your PC into a surveillance station. Attackers can:

  • Monitor your screen
  • Capture keystrokes
  • Access your microphone and camera
  • Steal clipboard contents
  • Exfiltrate files through encrypted channels

The malware establishes persistent access via an “OneDriveServers” service, ensuring it survives reboots and continues operating in the background.

Phishing Emails Deliver Fake Government Notices

Social Security Administration impersonation and fake software updates serve as common delivery methods.

These weaponized files typically arrive through phishing emails masquerading as Social Security Administration notices or software update notifications. The campaign connects to broader trends like ClickFix, which uses steganography to hide shellcode inside PNG files on fake Windows Update pages. “The campaign does not rely on a single trick but chains together multiple advanced techniques,” according to Cyfirma researchers, making detection significantly more challenging than traditional malware.

Defense Requires Behavioral Monitoring and Access Controls

Blocking specific system binaries and monitoring PowerShell activity provides essential protection.

Your best defense involves:

  • Blocking abuse of legitimate Windows binaries like csc.exe and ComputerDefaults.exe through application whitelisting
  • Enabling PowerShell logging and monitoring for suspicious script execution, especially from unexpected file types
  • Restricting or closely monitoring remote management tools like ScreenConnect in your environment

If you suspect exposure, immediately reset all stored credentials and scan for the telltale C:\Systems and C:\ProgramData\OneDriveServer directories.

Share this

You Might Also Like_

Our Editorial Process

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →

Join over 100k Readers

Join 100,000+ readers discovering the coolest gadgets, smart buying guides, and the tech news that actually matters.

LATEST Lists_

Why Trust Gadget Review

With over 25 years of experience, our editorial process is built on human expertise, ensuring that every article is reliable and trustworthy. AI helps us shape our content to be as succinct and engaging as possible.

Learn more about our commitment to integrity in our Code of Ethics.

LATEST NEWS_

Latest Buying Guides_

Latest Reviews_

LATEST Resource Articles_