{
  "name": "OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION",
  "slug": "operation-silentcanvas-jpeg-based-multistage-powershell-intrusion",
  "description": "A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...",
  "published": "2026-05-10T11:09:22+00:00",
  "created_at": "2026-05-10T11:09:22+00:00",
  "modified_at": "2026-05-11T07:56:49+00:00",
  "created_at_opencti": "2026-05-10T11:09:22+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-05-10",
    "amsi bypass",
    "connectwise screenconnect",
    "credential-theft",
    "fileless execution",
    "lolbin abuse",
    "powershell",
    "surveillance",
    "uac bypass"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "a635f0c94c98b658ae799978994f0d0a292567cd97b8a19068a8423d1297652a"
      },
      {
        "id": "",
        "name": "7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3"
      },
      {
        "id": "",
        "name": "e4c9f3bb4a65c640795bfc1a56c0b56485b849ccd97027eed7ad9aa78a732a4f"
      },
      {
        "id": "",
        "name": "cea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35906c2ed24ca9b4"
      },
      {
        "id": "",
        "name": "ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79"
      },
      {
        "id": "",
        "name": "ecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11df"
      },
      {
        "id": "",
        "name": "4d8ac85c5b98c69ba44146df61183e9bf613edd796aa516c3ae73611b7d77c06"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "legitserver.theworkpc.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6a008382641183db3b20fef5",
    "https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/"
  ]
}