TrojPix Attack: Megabit Data Theft from Air-Gapped PCs via Video Cables

🔒 Cyber Security Analysis

The Mechanics of the TrojPix Exploit

How researchers turned video cables into high‑speed radio transmitters — breaking the air‑gap at 8.1 Mbps.
⚡ 8.1 Mbps 📡 208 m
Published · 2026 · Air‑Gap Security Research
TrojPix attack diagram showing air-gap exploitation
Figure 1: TrojPix attack concept — malware manipulates pixels to radiate data via video cable. 📷 Reference: Shandong University Research

Researchers at Shandong University have engineered a fast new mechanism to extract data from computers intentionally isolated from all network connectivity. This air‑gap attack, designated TrojPix, leverages the inherent physical properties of display hardware to establish a covert communications channel.

⚡ Sponsored Recommendation
Secure Your Air‑Gapped Environment
Discover next‑gen monitoring solutions that detect emission‑based exfiltration attempts before they breach your perimeter.
🔒 Explore Protection →

Imperceptible Pixel Modulation

The core methodology relies on a technique the researchers identify as imperceptible pixel modulation. By manipulating the on‑screen pixels in microscopic, visually undetectable ways, the malware forces the attached video cable to radiate a faint, highly specific radio frequency signal. A nearby receiver equipped to read these specific electromagnetic emanations can then decode the broadcasted data.

TrojPix logo / visual representation
📷 TrojPix — visual concept

This approach transforms standard computer peripherals into ad‑hoc radio transmitters. Unlike conventional network breaches that rely on IP protocols, routing tables, or active internet connections, TrojPix exploits the analog reality of digital hardware. Every electrical pulse traveling down a copper wire generates a corresponding electromagnetic field. By carefully timing the rendering of specific pixel patterns on the host monitor, the malware shapes these microscopic electrical surges inside the video cable into structured data packets.

Because the pixel variations occur below the threshold of human visual perception, operators working directly in front of the infected machine remain unaware that their workstation is actively broadcasting sensitive files to an outside observer.

⚡ Key Insight: A computer must send data to its monitor to be usable. By hiding the transmission mechanism inside this unavoidable hardware requirement, the attack subverts the fundamental premise of air‑gapped security. The isolated system, fully disconnected from Wi‑Fi, Bluetooth, or Ethernet, is forced to communicate through the very cables designed solely for local video output.

Bypassing Administrative Constraints

🔓 No Admin Rights

Zero‑Privilege Execution

The exploit requires absolutely no hardware modifications to the target machine and demands zero administrator rights to execute. Standard user‑level malware containing the ability to draw content to the screen is sufficient to initiate the data exfiltration process.

🛡️ Evades Detection

Standard API Usage

Because the attack leverages standard graphic APIs available to normal applications, heuristic defense mechanisms are less likely to flag the activity as malicious. The malware avoids interacting with sensitive system files or attempting unauthorized network connections — it simply renders images.

This low‑privilege requirement drastically alters the threat modeling for isolated environments. If an attacker manages to introduce malware into an air‑gapped system — perhaps via a compromised supply chain or an infected USB drive — they do not need to escalate privileges to begin extracting data. The malware simply operates within the confined permissions of a standard user account, rendering graphics to the display buffer just as a word processor or web browser would.

Throughput and Range Dynamics

📡 Boost Your Security Posture
Real‑Time Emission Monitoring
Deploy advanced RF sensors that detect anomalous electromagnetic activity — before data leaves your facility.
📡 Learn More →

Achieving Megabit Speeds in Isolated Environments

Historically, covert channels targeting air‑gapped systems have suffered from severe bandwidth limitations. These methods typically crawl along at a few bits or kilobits per second, restricting their practical use to leaking small text files, cryptographic keys, or passwords. TrojPix shatters this limitation.

8.1
Mbps peak throughput
208
meters max range
100
MB in under 2 min

Operating at megabit speeds elevates TrojPix from a specialized espionage tool capable of stealing credentials into a viable mechanism for mass data theft. At 8.1 Mbps, an attacker can extract a 100‑megabyte file — such as a database of proprietary schematics, classified intelligence reports, or compiled source code — in under two minutes.

The 208‑Meter Transmission Threshold

Alongside its unprecedented speed, TrojPix demonstrated a formidable maximum transmission range of 208 meters. This distance allows an attacker to operate a receiving antenna well outside the physical perimeter of a targeted facility. In scenarios involving secure corporate offices or government installations, a 208‑meter radius extends far beyond the walls of the building, potentially reaching public streets, neighboring buildings, or parked vehicles where surveillance equipment can be safely concealed.

📊 Trade‑off: The researchers noted that the peak throughput of 8.1 Mbps and the maximum range of 208 meters were measured separately, not simultaneously. Pushing the signal to its maximum distance likely involves reducing the data rate to ensure signal integrity, while achieving peak megabit speeds requires the receiver to be positioned closer to the emitting source.

Stealth Strategies for Unnoticed Exfiltration

🖥️ Stealth Mode

Faking a Powered‑Off Display

The malware manipulates the screen to appear entirely black, mimicking a monitor that has gone to sleep. While the screen appears dormant, the underlying pixel modulation continues at full speed, actively broadcasting data. This capitalizes on the human habit of leaving computers running while stepping away.

🌀 Active Camouflage

Burying Signals in Ordinary Content

When a dark screen is not viable, TrojPix buries the transmission signal directly within legitimate on‑screen activity. The malware slightly alters color values, contrast, or refresh timing of pixels displaying ordinary content — spreadsheets, documents, or menus — so the user sees nothing unusual.

Operating under the guise of a powered‑off display allows TrojPix to maximize its 8.1 Mbps throughput without concerning itself with visual artifacts. The imperceptible modulation techniques can be applied across the entire display canvas without competing with legitimate user applications for screen space. This uninterrupted, full‑screen transmission window is what enables the rapid extraction of large files, turning routine coffee breaks or shift changes into severe security liabilities.

Burying the signal in active content ensures a persistent, albeit potentially slower, exfiltration channel. It eliminates the need for the malware to wait for specific environmental triggers, allowing for a steady trickle of data extraction throughout the entire workday. The combination of these two stealth methods provides TrojPix with a highly adaptable and evasive operational profile.

Hardware Compatibility and Threat Surface

🖥️ Universal

Across 9 Monitor Brands

The researchers successfully tested TrojPix across nine different monitor brands and fifteen distinct video cables. This broad compatibility indicates the vulnerability is tied to the fundamental physics of digital video transmission, not a specific manufacturer flaw.

🔌 Copper Vulnerability

The Physical Medium

Whether utilizing HDMI, DisplayPort, VGA, or DVI standards, copper cables transmit data via electrical signals. High‑frequency data inevitably generates electromagnetic interference (EMI). TrojPix specifically exploits this unavoidable leakage, turning the copper wire into an unintentional broadcast antenna.

This agnostic operational capability drastically expands the potential threat surface. Government agencies, military contractors, and financial institutions employ a massive variety of hardware configurations across their isolated networks. TrojPix's ability to function reliably across these varied setups means attackers do not need to tailor their malware to the specific make and model of the target's workstation. A single, standardized payload is sufficient to execute the attack across a widely heterogeneous hardware environment.

Historical Precedents in Covert Channels

Legacy
TEMPEST
NSA codename for compromising emanations research since the mid‑20th century.
2024
PIXHELL
Acoustic emissions from display components — sound‑based air‑gap channel.
2025
TEMPEST‑LoRa
Video cable emanations to LoRa radios — 87.5 m, 21.6 kbps.

TrojPix represents a modern, highly optimized evolution of the TEMPEST concept. While traditional TEMPEST surveillance involves passively monitoring the natural, unavoidable emissions of a device, TrojPix actively manipulates the target machine via malware to intentionally generate strong, specific emissions. It transitions the field of compromising emanations from a passive surveillance technique into an active, controllable data exfiltration vector.

Compared to its predecessors, TrojPix represents a massive leap in capability. Its peak throughput is hundreds of times higher than TEMPEST‑LoRa, shifting the paradigm from slow credential theft to rapid, bulk data exfiltration. The progression from 21.6 kbps in 2025 to 8.1 Mbps in 2026 illustrates the rapid maturation of emission‑based covert channels.

Practical Real‑World Implications

It is essential to distinguish between controlled academic research and verified cyber warfare operations. Currently, emission channels like TrojPix remain firmly in the domain of laboratory work. The air‑gap attacks that have historically surfaced in the wild have relied on entirely different physical mechanisms. TrojPix and its contemporaries serve as proof‑of‑concept demonstrations. They map the boundaries of what is physically possible, rather than documenting what has already been intercepted by incident response teams.

⚠️ The Silent Threat: Emission‑based data exfiltration is inherently invisible to traditional logging and network monitoring tools. If a nation‑state utilized a TrojPix‑style attack to siphon data from a secure facility, the victim organization would likely find zero digital evidence of the exfiltration within their server logs or firewall traffic. The covert nature of the channel means actual deployment in the wild could go undetected for years.

The Shift from USB Dependency

Historically, bridging the air gap in real‑world scenarios has heavily relied on physical media. The most famous examples — the Stuxnet worm and the Agent.BTZ infection — both relied on infected USB flash drives to cross the physical perimeter. These attacks required physical hardware to move data in and out of the isolated environment.

TrojPix fundamentally avoids these hardware dependencies. While it still requires malware to be introduced to the system initially (a step that might still involve a USB drive or a compromised software update), the actual exfiltration of the stolen data requires no physical hardware extraction. The attacker does not need to retrieve a USB drive or retrieve a planted network tap. Once the malware is active, the data simply broadcasts through the walls via radio waves, allowing the operator to remain safely outside the physical security perimeter.

🛡️ Recommended Solution
Protect Against Covert Emission Channels
Advanced RF shielding + endpoint detection — built for air‑gapped environments.
🛡️ Secure Your Facility →

Defensive Countermeasures and Remediation

🔦 Fiber‑Optic

Transition to Fiber‑Optic Video Links

The most definitive method to neutralize video cable emissions is to replace traditional copper wiring with fiber‑optic links. Fiber transmits data using pulses of light through glass or plastic strands — they generate absolutely no electromagnetic interference. Even with TrojPix malware active, the resulting data cannot escape via electromagnetic radiation.

🔒 TEMPEST + Endpoint

Shielding & Zero‑Trust

For environments where fiber‑optic replacements are not immediately feasible, organizations must rely on comprehensive environmental shielding (Faraday cages, shielded cables, conductive materials). The most practical defense remains robust endpoint security focused on preventing the initial infection.

Because TrojPix exploits the physical laws of electromagnetism rather than a flaw in software code, it is impossible to issue a simple software patch to remove the emission itself. The countermeasures must be physical and preventative in nature. Securing air‑gapped systems requires aggressive zero‑trust policies, strict application whitelisting, and rigorous controls over all incoming data vectors, including USB drives, optical media, and software updates.

Conclusion

The emergence of the TrojPix attack represents a critical inflection point in the study of isolated network security. By transforming standard video cables into high‑speed radio transmitters capable of moving megabytes of data per second, researchers have systematically dismantled the assumed safety of the air gap. The attack's ability to function without administrative privileges, operate agnostically across diverse hardware brands, and utilize advanced stealth techniques to hide its megabit‑speed transmissions highlights a severe vulnerability in how secure facilities deploy commercial off‑the‑shelf technology.

The bottom line: While this specific iteration remains confined to academic laboratories, the underlying physical principles it exposes guarantee that emission‑based attacks will feature prominently in the future of nation‑state cyber espionage. Defending against this new reality requires moving beyond software patches and embracing a holistic security model that combines strict zero‑trust endpoint control with rigorous physical infrastructure shielding and fiber‑optic isolation.

Frequently Asked Questions

1. What exactly is the TrojPix attack?
TrojPix is a novel cyberattack technique developed by researchers at Shandong University that steals data from air‑gapped computers. It uses malware to manipulate on‑screen pixels in ways invisible to the human eye. This modulation forces the computer's video cable to emit specific radio frequencies that a nearby receiver can intercept and decode, effectively turning the video cable into a covert radio transmitter.
2. How fast can TrojPix steal data from a computer?
During laboratory testing, TrojPix achieved a peak data transmission rate of 8.1 Megabits per second (Mbps). This translates to roughly one megabyte of data per second, meaning an attacker could theoretically exfiltrate a 100‑megabyte file from a completely isolated computer in under two minutes.
3. Does this attack work remotely, or does the attacker need physical access?
The exfiltration of data happens remotely via radio waves, with a proven maximum range of 208 meters. However, TrojPix is not a method for gaining initial access. The target computer must already be infected with the TrojPix malware for the attack to work, meaning the attacker must have previously found a way to compromise the system (such as through a tainted USB drive).
4. Will changing my monitor brand protect me from TrojPix?
No. The researchers tested the TrojPix method across nine different monitor brands and fifteen distinct video cables, confirming that the attack works successfully regardless of the specific hardware manufacturer. The vulnerability lies in the physical nature of copper cables and digital video rendering, not a specific brand flaw.
5. How can organizations defend against emission attacks like TrojPix?
Because the attack relies on the physical laws of electromagnetism, it cannot be patched with software. The primary defense is preventing the initial malware infection through strict endpoint security. Physical countermeasures include running video signals over fiber‑optic links (which emit no radio signals) and implementing heavy TEMPEST shielding for cables and secure rooms to block radio frequencies from escaping the facility.
📷 Image Credits: All images sourced from Shandong University research material.
© 2026 · Air‑Gap Security Research · Content for informational purposes only.

Post a Comment

0 Comments