Back to Intelligence

TrojPix: Mitigating RF Data Exfiltration from Air-Gapped Systems

SA
Security Arsenal Team
July 6, 2026
7 min read

Introduction

The concept of the "air gap" remains a gold standard for isolating critical systems—such as Electronic Medical Records (EMR), industrial control systems (ICS), and nuclear command centers—from the public internet. However, research released by Shandong University in July 2026 demonstrates that physical isolation is no longer a guarantee of data silence. The new technique, dubbed TrojPix, allows attackers to bridge the air gap using the very hardware designed to visualize data: the monitor and its video cable.

TrojPix is not a remote code execution vulnerability; it is an exfiltration channel. It becomes viable only after an endpoint is compromised via initial access vectors (supply chain, insider threat, or physical breach). Once present, the malware modulates screen pixels in a way invisible to the human eye, causing the video cable (HDMI/VGA) to emit electromagnetic radio signals. A nearby receiver can decode these signals to reconstruct sensitive data. For defenders, this highlights a critical blind spot: standard EDR detects the malware, but it does not flag the physical leakage of data.

Technical Analysis

  • Affected Platforms: Any workstation or server using standard video cabling (HDMI, VGA, DVI) connected to a monitor. High-risk environments include healthcare imaging servers, SCADA controllers, and secured government terminals.
  • The Attack Chain:
    1. Initial Compromise: Malware is introduced to the air-gapped system (via USB, rogue insider, or infected update).
    2. Pixel Modulation: The malware manipulates the red color component of specific pixels on the screen. These changes are rapid and visually imperceptible.
    3. RF Emission: The video cable transmits these pixel changes. The rapid switching creates electromagnetic noise that varies based on the pixel data (binary modulation).
    4. Capture: A receiver (e.g., a smartphone or SDR) placed near the cable captures the RF signal.
    5. Decoding: The signal is demodulated to recover the exfiltrated files (e.g., encryption keys, credentials).
  • Exploitation Status: Currently demonstrated in a research setting by Shandong University. While no active in-the-wild campaign using TrojPix has been confirmed as of July 2026, the TTP (Technique, Tactics, Procedure) is highly accessible to sophisticated nation-state actors and advanced persistent threats (APTs) targeting high-value air-gapped networks.
  • CVE: No specific CVE exists for this technique, as it exploits the fundamental physics of analog video signaling rather than a software bug.

Detection & Response

Because TrojPix relies on malware already residing on the host, detection must focus on the precursor behaviors: unauthorized screen manipulation and process injection into the graphics subsystem.

SIGMA Rules

The following Sigma rules detect behaviors associated with malware attempting to manipulate the display buffer or inject into the Desktop Window Manager (dwm.exe) to facilitate pixel-based exfiltration.

YAML
---
title: TrojPix - Process Injection into Desktop Window Manager
id: 89c3b123-45d6-7e8f-90a1-b2345678c9d0
status: experimental
description: Detects potential process injection into dwm.exe, often required to hook display calls for optical channel exfiltration like TrojPix.
references:
  - https://thehackernews.com/2026/07/new-trojpix-attack-leaks-data-from-air.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.defense_evasion
  - attack.t1055.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    TargetImage|endswith: '\dwm.exe'
    GrantedAccess|contains:
 - 'PROCESS_VM_WRITE'
      - 'PROCESS_CREATE_THREAD'
falsepositives:
  - Legitimate system utilities interacting with window manager
level: high
---
title: TrojPix - Suspicious Graphics Driver Interaction
id: 1a2b3c4d-5e6f-7890-1234-56789abcdef0
status: experimental
description: Detects non-system processes loading critical graphics DLLs (gdi32.dll, dxgi.dll) which may indicate hooking for pixel manipulation.
references:
  - https://thehackernews.com/2026/07/new-trojpix-attack-leaks-data-from-air.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.collection
  - attack.t1113
logsource:
  category: image_load
  product: windows
detection:
  selection:
    ImageLoaded|contains:
      - '\gdi32.dll'
      - '\dxgi.dll'
      - '\opengl32.dll'
  filter:
    Image|contains:
      - '\System32\'
      - '\SysWOW64\'
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection and not filter
falsepositives:
  - Legacy applications or custom imaging software
level: medium
---
title: TrojPix - CLI Screen Capture Utilities
id: f1e2d3c4-b5a6-7890-cdef-1234567890ab
status: experimental
description: Detects command-line usage of common screen capture or manipulation tools often used in staging for exfiltration.
references:
  - https://thehackernews.com/2026/07/new-trojpix-attack-leaks-data-from-air.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.collection
  - attack.t1113
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'screenshot'
      - 'capture-screen'
      - 'pixelseek'
      - 'ImageMagick'
falsepositives:
  - Authorized administrative troubleshooting
level: low

KQL (Microsoft Sentinel)

Use this KQL query to hunt for processes accessing video device handles or creating remote threads in graphics processes.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ActionType == "ProcessInjection" or ActionType == "RemoteThreadCreated"
| where TargetProcessFileName =~ "dwm.exe" or TargetProcessFileName =~ "explorer.exe"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, TargetProcessFileName
| order by Timestamp desc

Velociraptor VQL

Hunt for processes holding handles to video devices or querying display settings, which is a prerequisite for manipulating pixels.

VQL — Velociraptor
-- Hunt for processes accessing display/video devices
SELECT Pid, Name, Exe, CommandLine, 
       foreach(split(string=Handles.Handles.Name, sep=","), x={ 
           if(condition=~ x =~ "Video" or x =~ "Display", then=x, else="")
       }) as VideoHandles
FROM pslist()
WHERE VideoHandles

Remediation Script (PowerShell)

Since there is no software patch for RF leakage, remediation involves verifying driver integrity and auditing physical security zones. This script verifies the digital signatures of critical display drivers to ensure they haven't been replaced by malicious modules.

PowerShell
<#
.SYNOPSIS
    Audit graphics drivers for integrity as part of TrojPix defense.
.DESCRIPTION
    Checks the digital signature of display drivers and ensures 
    no unauthorized unsigned drivers are loaded in the graphics stack.
#>

Write-Host "[+] Initiating Graphics Driver Integrity Check..." -ForegroundColor Cyan

# Get display drivers via WMI
$displayDrivers = Get-WmiObject Win32_VideoController

foreach ($driver in $displayDrivers) {
    $driverPath = $driver.InstalledDisplayDrivers
    Write-Host "[+] Checking Driver: $($driver.Name)" -ForegroundColor Yellow
    
    if ($driverPath -and (Test-Path $driverPath)) {
        $sig = Get-AuthenticodeSignature -FilePath $driverPath
        
        if ($sig.Status -ne 'Valid') {
            Write-Host "[!] ALERT: Unsigned or Invalid Signature Detected at $driverPath" -ForegroundColor Red
            # In a real IR scenario, trigger an alert here
        } else {
            Write-Host "[OK] Signature Valid: $($sig.SignerCertificate.Subject)" -ForegroundColor Green
        }
    }
}

# Check for unsigned DLLs loaded into dwm.exe (Desktop Window Manager)
Write-Host "[+] Scanning unsigned DLLs in dwm.exe process space..." -ForegroundColor Cyan

$dwmProcess = Get-Process dwm -ErrorAction SilentlyContinue
if ($dwmProcess) {
    $modules = $dwmProcess.Modules
    foreach ($mod in $modules) {
        $sig = Get-AuthenticodeSignature -FilePath $mod.FileName -ErrorAction SilentlyContinue
        if ($sig.Status -eq 'NotSigned' -and $mod.FileName -notlike "*C:\Windows\System32*" -and $mod.FileName -notlike "*C:\Windows\WinSxS*") {
            Write-Host "[!] Suspicious Unsigned DLL in dwm.exe: $($mod.FileName)" -ForegroundColor Red
        }
    }
} else {
    Write-Host "[-] dwm.exe not running." -ForegroundColor Gray
}

Write-Host "[+] Audit Complete." -ForegroundColor Cyan


**Remediation**

1.  **Zero Trust Physical Security:** Since TrojPix requires a receiver near the cable, enforce strict "No Personal Devices" policies in secure zones. Ensure air-gapped systems are located in RF-shielded rooms (Faraday cages) or where physical access to the cabling is impossible.
2.  **Software Allowlisting:** The primary vector for TrojPix is the initial malware. Ensure strict application allowlisting (e.g., AppLocker, Windows Defender Application Control) is active on all air-gapped endpoints to prevent the execution of the malware required to drive the pixel modulation.
3.  **Driver Integrity Monitoring:** Regularly audit the signature integrity of graphics drivers (`gdi32.dll`, `dxgi.dll`, vendor-specific driver files). Tampering with these drivers is a necessary step for advanced pixel manipulation.
4.  **Cable Hygiene:** Where possible, use high-quality, heavily shielded fiber optic cabling (HDMI Fiber) which does not emit electromagnetic radiation in the same way as copper cables. If using copper, ensure ferrite chokes are installed and undamaged.
5.  **Endpoint Detection:** Deploy the Sigma rules provided above to detect process injection into `dwm.exe` or suspicious loading of graphics libraries by unauthorized processes.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachtrojpixair-gap-securityside-channel-attackdata-exfiltrationdfir

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.