Cybersecurity researchers at Cyfirma have uncovered a highly dangerous cyber attack in which Windows systems are being targeted through fake JPEG image files. The campaign, reportedly named “Operation Silent Canvas,” uses seemingly harmless images to secretly gain full control of infected computers.
According to the report, the attack begins when a user receives a file that appears to be a normal image, such as “sysupdate.jpeg.” While it looks like a standard JPEG file, it actually contains hidden malicious code. Once opened, it silently executes embedded PowerShell scripts that allow attackers to infiltrate the system and download additional malware.
Researchers say the malware is designed in a way that it does not store its harmful commands directly on the system. Instead, it generates them at runtime, making it harder for antivirus programs to detect. It then downloads another payload called “access.jpeg,” which runs directly in the system memory, increasing the risk of undetected infection.
The attack becomes even more sophisticated by using Microsoft’s own .NET compiler tool, csc.exe, to create a custom launcher named “uds.exe” on the infected machine. This launcher helps maintain persistent access for attackers.
Once activated, the malware hijacks a Windows registry key linked to the ms-settings protocol and creates a hidden desktop environment where malicious activities continue without the user’s knowledge. It also installs a persistent service called “OneDriveServers,” which ensures the malware remains active even after system restarts.
Cyber experts warn that this type of attack shows how advanced modern malware has become, using legitimate system tools and hidden techniques to bypass security defenses while maintaining long-term control over infected devices.