CYFIRMA Research
Cyber defenders, listen up! The CYFIRMA Research podcast has some juicy intel on the latest cyber threats that are lurking in the shadows. Tune in to this security briefing to stay on top of emerging threats and be ready to tackle digital risk like never before.
CYFIRMA Research
CYFIRMA Research: Operation SilentCanvas – JPEG-Based Multi-Stage PowerShell Intrusion
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Operation SilentCanvas – JPEG-Based Multi-Stage PowerShell Intrusion
CYFIRMA Research conducted an in-depth technical investigation into a sophisticated multi-stage intrusion campaign leveraging a weaponized PowerShell payload disguised as a legitimate “.jpeg” image file to deploy a trojanized ConnectWise ScreenConnect framework for covert persistent access.
Key highlights from the research:
• Weaponized JPEG-based PowerShell loader
• AMSI bypass & multi-layer obfuscation
• Dynamic .NET compilation via csc.exe
• Fileless UAC bypass abusing ComputerDefaults.exe
• Trojanized ScreenConnect deployment
• LOLBin abuse & stealth-focused persistence
• DPAPI-protected credential handling
• Hidden desktop architecture for covert operations
• Encrypted PBKDF2/HMAC-SHA256 C2 communication
• Extensive surveillance & SYSTEM-level execution capabilities
This campaign reflects the growing trend of threat actors weaponizing legitimate RMM platforms for stealthy enterprise compromise, credential theft, persistence, and potential ransomware staging.
Link to the Research Report: https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/
#CYFIRMA #CYFIRMAResearch #ThreatIntelligence #MalwareAnalysis #CyberSecurity #ThreatResearch #DigitalForensics #ReverseEngineering #PowerShell #ScreenConnect #ThreatHunting #CyberThreatIntelligence #ETLM #ExternalThreatLandscapeManagement
https://www.cyfirma.com/