Cybersecurity researchers at Cyfirma have uncovered a sophisticated malware campaign targeting Windows systems using fake JPEG image files to deploy hidden scripts.

The campaign, named Operation Silent Canvas, delivers a file called sysupdate.jpeg, which carries no actual image but contains a concealed PowerShell script.

Once a user receives this file, the hidden script silently activates, connects to external servers, and begins downloading additional malicious components onto the infected system.

The malware avoids detection by generating its dangerous commands at runtime rather than storing them in files that antivirus software could scan and identify.

Secondary Payload and Custom Launcher

A second disguised file, access.jpeg, is then downloaded and executed directly inside the computer’s memory, leaving no trace on the hard drive for security tools.

Microsoft’s own compiler, csc.exe, part of the .NET framework, is then used to build a custom executable called uds.exe directly on the victim’s machine.

This launcher activates further malicious operations and hijacks the Windows registry key linked to the ms-settings protocol, gaining deep system access.

Hidden Environment and Persistence

The malware then creates a concealed desktop environment that runs invisibly in the background, continuing harmful operations without triggering any visible alerts to the user.

To survive system restarts, the attackers also install a persistent Windows service named OneDriveServers, which disguises itself as a legitimate Microsoft background process.

This service ensures the malware remains active after every reboot, maintaining the attacker’s uninterrupted remote control over the compromised Windows computer.