Weaponized JPEG Payload Deploys Trojanized ScreenConnect for Covert Espionage
Do Son 
The threat intelligence team at CYFIRMA has uncovered a sophisticated multi-stage intrusion campaign. Attackers are currently leveraging a weaponized PowerShell payload disguised as a legitimate JPEG image to deploy a trojanized version of ConnectWise ScreenConnect, providing them with covert and persistent remote access to enterprise environments.
This campaign is a masterclass in modern evasion, proving that even the most trusted administrative tools can be repurposed for malicious ends.
The attack typically begins with social engineeringβphishing emails or fake update luresβthat trick users into downloading a file named sysupdate.jpeg. While it looks like a harmless image, it is actually a weaponized PowerShell loader.
Static inspection by researchers confirmed that the file “is not a legitimate JPEG image because it lacks the standard JPEG magic bytes (FF D8 FF)”. Instead, it contains malicious commands designed to bypass basic file-extension filtering and execute directly on the victim’s system.
Once a user is tricked into executing the “image,” the malware initiates a complex, multi-stage infection chain designed to stay under the radar.
- AMSI Bypass: To evade Windows Anti-Malware Scan Interface (AMSI), the script reconstructs suspicious commands like Invoke-Expression (IEX) on the fly. This approach “significantly reduces the likelihood of detection by static signatures, AMSI inspection engines, and conventional endpoint monitoring solutions”.
- Dynamic Compilation: In a clever “Compile After Delivery” move, the malware uses Microsoftβs legitimate .NET compiler (csc.exe) to build its own launcher, uds.exe, directly on the host. This ensures the binary has a unique hash for every infection, rendering signature-based antivirus useless.
- Fileless UAC Bypass: The malware then performs a silent privilege escalation by hijacking the ms-settings registry path and abusing ComputerDefaults.exe. This allows it to obtain elevated SYSTEM-level privileges without ever triggering a visible User Account Control (UAC) prompt for the victim.
After gaining high-level access, the malware deploys its primary payload: a modified ScreenConnect framework. This isn’t just a simple remote desktop tool; it is a full-featured surveillance engine masquerading as a legitimate service named OneDriveServers.
- Static analysis revealed an extensive “Capability Matrix” that grants the attacker terrifying levels of control:
- Real-time surveillance: Screen monitoring, continuous video recording, and microphone interception.
- Credential Harvesting: Support for “Credential Provider interception, plaintext credential harvesting, and DPAPI-protected credential storage”.
- Hidden Operations: A sophisticated “Hidden Desktop” architecture that creates an entirely separate Windows shell environment. This allows attackers to operate “independently from the logged-in user session,” meaning they can move files and execute commands without the victim seeing a thing.
The campaign demonstrates high operational maturity. To protect its communications, the malware uses unique session-specific cryptographic keys, making network interception nearly impossible. CYFIRMA’s investigation concludes that this tradecraft reflects a “professionally engineered and operationally mature intrusion framework” capable of supporting long-term espionage or even ransomware deployment.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
