A ScreenConnect malware campaign named Operation SilentCanvas is targeting Windows enterprises with a deceptively simple attack vector: a fake JPEG file that contains no image data whatsoever. Researchers at Cyfirma have identified what they describe as a highly sophisticated multi-stage infection chain that weaponizes a file called sysupdate.jpeg to deploy trojanized ConnectWise ScreenConnect malware, establishing persistence and capturing sensitive data from victim organizations.
Key Takeaways
- Operation SilentCanvas uses fake JPEG files named sysupdate.jpeg containing embedded PowerShell scripts instead of image data
- Attack chain exploits AMSI bypass techniques and registry hijacking to achieve auto-elevation to administrator privileges without user prompts
- Trojanized ScreenConnect enables real-time screen monitoring, video recording, microphone capture, keystroke logging, and silent file transfers
- Over 1,300 new indicators of compromise mimicking ScreenConnect download paths have emerged since mid-April 2025
- Campaign targets enterprises globally via phishing emails, fake software update prompts, and deceptive file-sharing links
How the ScreenConnect Malware Campaign Works
The ScreenConnect malware campaign begins with social engineering. Victims receive weaponized files through phishing emails, fake software update prompts, or deceptive file-sharing links that deliver sysupdate.jpeg. The file appears to be a legitimate image but contains no image data—instead, it holds an embedded PowerShell script that executes when opened. This initial misdirection is the campaign’s first layer of deception, exploiting user trust in file extensions and legitimate-sounding filenames.
Once executed, the PowerShell script sets up a staging environment and pulls additional malicious components from attacker-controlled servers. The real sophistication emerges in how the malware escalates privileges. The attack chain uses AMSI (Antimalware Scan Interface) bypass techniques to evade antivirus detection, then hijacks the Windows ms-settings registry protocol, redirecting it to uds.exe. This triggers ComputerDefaults.exe—a trusted Windows binary—which auto-elevates to administrator rights without prompting the user for UAC confirmation. The registry key used in this hijack is deleted within 2 seconds to erase forensic evidence.
After gaining administrative access, the malware deploys a trojanized version of ConnectWise ScreenConnect, a legitimate remote-support tool widely used in enterprises. According to Abnormal.ai researchers, attackers employ advanced deception techniques to manipulate targets into downloading ScreenConnect, creating workflows that align with end-user expectations and familiar business contexts. The trojanized variant connects to attacker-controlled servers rather than legitimate infrastructure, establishing a persistent backdoor.
What Attackers Can Do Post-Compromise
Once the trojanized ScreenConnect malware is deployed, attackers gain extensive surveillance and control capabilities. The compromised tool enables real-time screen monitoring, allowing attackers to observe victim activity as it happens. It records video from the victim’s display, captures audio through the microphone, intercepts clipboard contents, and logs every keystroke. Silent file transfers occur through an encrypted channel, meaning attackers can exfiltrate sensitive data without detection. This combination of capabilities transforms a victim’s Windows system into a fully compromised asset under attacker control.
The ScreenConnect malware campaign’s post-compromise phase is particularly dangerous because ScreenConnect itself is a digitally signed, trusted application. Enterprises often whitelist legitimate ScreenConnect clients on their networks. Attackers exploit this trust by reconfiguring legitimate clients to connect to their own command-and-control servers instead of legitimate infrastructure. This abuse of legitimate software makes detection significantly harder for security teams relying on application whitelisting or signature-based defenses.
Scale and Scope of the Campaign
The ScreenConnect malware campaign has reached significant scale. Lumu Technologies reported that over 1,300 new indicators of compromise mimicking ScreenConnect download paths and binaries have emerged since mid-April 2025. This surge suggests attackers are rapidly iterating and deploying variants across multiple infrastructure points. Threat researchers have identified specific malicious variants, including ScreenConnect version 25.2.4.9229 with a revoked certificate hardcoded to connect to a server called dof-connecttop on port 8041, hosted on an Iranian network.
The broader attack ecosystem extends beyond just the ScreenConnect malware campaign. Related campaigns targeting the same enterprises employ fake Zoom and Microsoft Teams invites, with one variant targeting more than 900 organizations. Attackers also use AI-generated phishing emails, malicious PDFs, and Canva pages hosted on Cloudflare R2 to distribute the initial payload. This diversified approach suggests a well-resourced threat actor operating at enterprise scale.
Why ScreenConnect Is a Favored Target
ConnectWise ScreenConnect became a target because of its legitimate status in enterprise environments. Unlike unknown malware, ScreenConnect is a recognized, digitally signed remote-support tool that enterprises trust and deploy widely. When attackers compromise or trojanize ScreenConnect, they inherit that trust. A patched, properly secured ScreenConnect deployment with multi-factor authentication and restricted access controls presents a much smaller target surface than an unpatched or misconfigured instance. The ScreenConnect malware campaign exploits organizations that have not implemented these security basics, making it a highly effective attack vector against enterprises that prioritize convenience over security hardening.
What Organizations Should Do Now
Organizations using ScreenConnect should immediately verify that their instances are running fully patched versions and connecting to legitimate ConnectWise infrastructure. Disable or restrict ScreenConnect access to only necessary users and networks. Implement multi-factor authentication on all remote-access tools, including ScreenConnect. Monitor for unusual outbound connections from ScreenConnect processes, particularly to unfamiliar IP addresses or domains. Check Windows registry keys for suspicious modifications, especially those related to ms-settings protocol handlers. Threat hunters should look for rapid registry key creation and deletion patterns, which indicate the auto-elevation bypass technique used in Operation SilentCanvas.
Can the ScreenConnect malware campaign be detected?
Detection is possible but requires layered defenses. AMSI bypass techniques can be countered with behavioral monitoring that detects suspicious PowerShell execution patterns, registry hijacking, and unauthorized privilege escalation. Endpoint detection and response (EDR) tools that track process execution chains and monitor for trusted binaries like ComputerDefaults.exe being abused for elevation are effective. Network monitoring for unusual ScreenConnect connections to non-standard infrastructure is also critical. However, the 2-second registry cleanup means forensic evidence is fleeting—real-time monitoring is more effective than post-breach analysis.
How does this compare to other remote-access malware?
The ScreenConnect malware campaign stands apart because it abuses a legitimate, widely trusted tool rather than deploying unknown malware. This gives it a significant advantage over traditional RAT (remote access trojan) campaigns that rely on unknown executables. Legitimate tools are often whitelisted by security teams, making detection harder. The multi-stage infection chain—fake JPEG, PowerShell execution, AMSI bypass, registry hijacking, and auto-elevation—represents a more sophisticated approach than single-stage droppers. The use of a trusted binary (ComputerDefaults.exe) for privilege escalation is particularly clever because it bypasses UAC without user interaction, a capability that many traditional malware families lack.
The ScreenConnect malware campaign demonstrates that enterprises cannot rely on application whitelisting alone. Trust in legitimate software is a double-edged sword—it protects against unknown threats but creates vulnerability when legitimate tools are compromised. Organizations must combine application control with behavioral monitoring, network segmentation, and strict access controls on remote-support tools. The 1,300-plus indicators of compromise emerging since mid-April 2025 suggest this campaign will continue evolving, making ongoing threat intelligence and rapid patching essential for enterprise security teams.
Edited by the All Things Geek team.
Source: TechRadar
