2 min

Investigators discovered a new malware campaign that uses gigapixel images from the James Web Project to distribute malware on target computers.

The James Web Telescope (JWST) was launched after more than two decades of planning and development. It’s a turning point for astronomy, but sadly also provides opportunities for cybercriminals.

Researchers discovered a new ransomware operation that disguises attack modules as attractive Webb Camera images to increase the chances of victims opening the malware.

How does malware spread?

According to experts, malware is spread in emails with virus-attached files. When the attached file is opened and the recipient has keywords enabled, an encrypted VBA program boots. When the program is executed, it obtains the image data.

The image appears to be the first gigapixel photo by the telescope. In reality, the image hides a Base64-code virus. It readily evades virus detection systems and uses Golang encryption function while spreading throughout the system.

Remote access

Malware victims report they were unaware of the image carrying Base64-code malware. The virus in the image significantly harms systems. Moreover, when the ransomware has thoroughly established itself, it replicates itself to new files and continues to alter default settings to ensure its survival.

According to security firm Securonix, the ransomware gives attacker remote access to the machine. The researchers found the virus using random scanning procedures, a standard method for evaluating a system for various forms of attacks.


There are a few straightforward ways to avoid the malware variant. Users should not open any files contained in suspicious emails, even inexecutable files like images. Deactivating Office’s macros is effective because malware is routinely loaded through them.

Tip: Ransomware is an APT, so you should treat it as such