OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION
Operation SilentCanvas is a sophisticated multi-stage intrusion campaign that uses a PowerShell payload disguised as a JPEG file to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely begins with social engineering such as phishing emails or malicious attachments. The malware sets up a staging environment, downloads additional payloads, and dynamically compiles a custom launcher using Microsoft's . NET compiler to evade detection. It abuses legitimate Windows binaries and registry hijacking to bypass User Account Control (UAC) and gain elevated privileges. Once elevated, it installs a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential theft, remote command execution, surveillance, and SYSTEM-level execution. The campaign employs fileless execution and AMSI bypass techniques to evade security controls. No known exploits in the wild or CVE identifiers are associated with this campaign, and no official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
Operation SilentCanvas is a multi-stage intrusion campaign leveraging a weaponized PowerShell payload hidden as a JPEG image (sysupdate.jpeg). Initial infection vectors likely include phishing or malicious attachments. The malware establishes a staging environment, retrieves further payloads from attacker-controlled infrastructure, and uses the legitimate .NET compiler (csc.exe) to dynamically compile a custom launcher, aiding evasion. It abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass, gaining elevated privileges without triggering typical defenses. Post-elevation, it deploys a persistent service disguised as OneDriveServers and launches a trojanized ConnectWise ScreenConnect instance modified for credential interception, remote command execution, surveillance, and SYSTEM-level code execution. The campaign uses fileless execution and AMSI bypass techniques to avoid detection. Indicators include multiple file hashes and a domain (legitserver.theworkpc.com). There is no CVE or vendor patch information, and no known exploits in the wild have been reported.
Potential Impact
The campaign enables attackers to gain covert remote access with SYSTEM-level privileges, allowing credential theft, remote command execution, and surveillance operations. The use of fileless execution and legitimate Windows binaries for privilege escalation and evasion increases the difficulty of detection and mitigation. The trojanized ConnectWise ScreenConnect instance provides a persistent backdoor for attackers. Although no known exploits in the wild are reported, the campaign poses a medium severity threat due to its sophisticated techniques and potential for extensive system compromise.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this campaign. Organizations should rely on threat intelligence to detect indicators of compromise such as the provided file hashes and domain names. Since the attack uses social engineering vectors, user awareness training to recognize phishing attempts is recommended. Monitoring for abuse of legitimate Windows binaries (e.g., ComputerDefaults.exe, csc.exe) and registry hijacks related to ms-settings may help identify suspicious activity. Because the campaign employs fileless techniques and AMSI bypass, endpoint detection and response solutions with behavioral analysis capabilities may improve detection. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Indicators of Compromise
- domain: legitserver.theworkpc.com
- hash: 7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3
- hash: ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79
- hash: 752a7188f2bab1926a63254e29f3108a
- hash: 7dd05336097e5a833f03a63d3221494f
- hash: a40e6ca64bbeaf7e42100371defa2c51
- hash: cdc55f204dd2d7e2240d5b785250e68d
- hash: fcb58cddda40825616c70c93b312a79a
- hash: 19e1234a94f0445e8fdb9ae0f75554292db48c1c
- hash: 3cf97b5207e51a1ae8e640450279abef204f0466
- hash: 94acd6b46cce2a0b84cc5efad3e661eeaa58a612
- hash: 98661a28d73703ec3728e8f9b25dfab043f4ca6f
- hash: 4d8ac85c5b98c69ba44146df61183e9bf613edd796aa516c3ae73611b7d77c06
- hash: a635f0c94c98b658ae799978994f0d0a292567cd97b8a19068a8423d1297652a
- hash: cea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35906c2ed24ca9b4
- hash: e4c9f3bb4a65c640795bfc1a56c0b56485b849ccd97027eed7ad9aa78a732a4f
- hash: ecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11df
- hash: 21c1e7557b13a63c2c87ca29c701347553077268
- hash: 91451c9755494a1151763764d96a3178002b367d
- hash: af525cbdf7ba92921d05593bc35a81528ffa1083
OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION
Description
Operation SilentCanvas is a sophisticated multi-stage intrusion campaign that uses a PowerShell payload disguised as a JPEG file to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely begins with social engineering such as phishing emails or malicious attachments. The malware sets up a staging environment, downloads additional payloads, and dynamically compiles a custom launcher using Microsoft's . NET compiler to evade detection. It abuses legitimate Windows binaries and registry hijacking to bypass User Account Control (UAC) and gain elevated privileges. Once elevated, it installs a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential theft, remote command execution, surveillance, and SYSTEM-level execution. The campaign employs fileless execution and AMSI bypass techniques to evade security controls. No known exploits in the wild or CVE identifiers are associated with this campaign, and no official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation SilentCanvas is a multi-stage intrusion campaign leveraging a weaponized PowerShell payload hidden as a JPEG image (sysupdate.jpeg). Initial infection vectors likely include phishing or malicious attachments. The malware establishes a staging environment, retrieves further payloads from attacker-controlled infrastructure, and uses the legitimate .NET compiler (csc.exe) to dynamically compile a custom launcher, aiding evasion. It abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass, gaining elevated privileges without triggering typical defenses. Post-elevation, it deploys a persistent service disguised as OneDriveServers and launches a trojanized ConnectWise ScreenConnect instance modified for credential interception, remote command execution, surveillance, and SYSTEM-level code execution. The campaign uses fileless execution and AMSI bypass techniques to avoid detection. Indicators include multiple file hashes and a domain (legitserver.theworkpc.com). There is no CVE or vendor patch information, and no known exploits in the wild have been reported.
Potential Impact
The campaign enables attackers to gain covert remote access with SYSTEM-level privileges, allowing credential theft, remote command execution, and surveillance operations. The use of fileless execution and legitimate Windows binaries for privilege escalation and evasion increases the difficulty of detection and mitigation. The trojanized ConnectWise ScreenConnect instance provides a persistent backdoor for attackers. Although no known exploits in the wild are reported, the campaign poses a medium severity threat due to its sophisticated techniques and potential for extensive system compromise.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this campaign. Organizations should rely on threat intelligence to detect indicators of compromise such as the provided file hashes and domain names. Since the attack uses social engineering vectors, user awareness training to recognize phishing attempts is recommended. Monitoring for abuse of legitimate Windows binaries (e.g., ComputerDefaults.exe, csc.exe) and registry hijacks related to ms-settings may help identify suspicious activity. Because the campaign employs fileless techniques and AMSI bypass, endpoint detection and response solutions with behavioral analysis capabilities may improve detection. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/"]
- Adversary
- null
- Pulse Id
- 6a008382641183db3b20fef5
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainlegitserver.theworkpc.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3 | — | |
hashee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79 | — | |
hash752a7188f2bab1926a63254e29f3108a | — | |
hash7dd05336097e5a833f03a63d3221494f | — | |
hasha40e6ca64bbeaf7e42100371defa2c51 | — | |
hashcdc55f204dd2d7e2240d5b785250e68d | — | |
hashfcb58cddda40825616c70c93b312a79a | — | |
hash19e1234a94f0445e8fdb9ae0f75554292db48c1c | — | |
hash3cf97b5207e51a1ae8e640450279abef204f0466 | — | |
hash94acd6b46cce2a0b84cc5efad3e661eeaa58a612 | — | |
hash98661a28d73703ec3728e8f9b25dfab043f4ca6f | — | |
hash4d8ac85c5b98c69ba44146df61183e9bf613edd796aa516c3ae73611b7d77c06 | — | |
hasha635f0c94c98b658ae799978994f0d0a292567cd97b8a19068a8423d1297652a | — | |
hashcea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35906c2ed24ca9b4 | — | |
hashe4c9f3bb4a65c640795bfc1a56c0b56485b849ccd97027eed7ad9aa78a732a4f | — | |
hashecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11df | — | |
hash21c1e7557b13a63c2c87ca29c701347553077268 | — | |
hash91451c9755494a1151763764d96a3178002b367d | — | |
hashaf525cbdf7ba92921d05593bc35a81528ffa1083 | — |
Threat ID: 6a01aa1fcbff5d8610f2b582
Added to database: 5/11/2026, 10:06:23 AM
Last enriched: 5/11/2026, 10:22:50 AM
Last updated: 5/11/2026, 7:07:14 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.