OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION
Essential information
- Published
- 10/05/2026 13:09
- Modified
- 11/05/2026 09:56
- Tags
- 2026-05-10 amsi bypass connectwise screenconnect credential-theft fileless execution lolbin abuse powershell surveillance uac bypass
- Related entities
- 7 observables, 1 others
Description
A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...