Researchers from Shandong University have demonstrated a groundbreaking covert channel attack called "TrojPix" that can defeat air-gap security by turning a standard video cable into a radio antenna. The attack requires malware to be present on the target air-gapped system. This malware encodes sensitive data into tiny, imperceptible modulations of the pixels being displayed on the screen. These modulations generate electromagnetic (EM) emissions along the video cable (HDMI, DisplayPort, etc.) that can be picked up by a remote receiver up to 208 meters away. The technique is remarkably fast and stealthy, capable of exfiltrating a 100 MB file in under two minutes, presenting a significant new challenge for securing highly sensitive, isolated environments.
Air-gapped systems are computers that are physically isolated from any public networks to prevent remote data breaches. The TrojPix attack provides a new and powerful method to bridge this gap for data exfiltration. It does not provide initial access; the target system must first be compromised through other means, such as a malicious insider, a compromised USB drive (T1091), or a supply chain attack.
Once the TrojPix malware is on the air-gapped machine, it can begin exfiltrating data by manipulating the video output. The core of the technique is "imperceptible pixel modulation." The malware makes subtle, high-frequency changes to the color values of pixels being sent to the monitor. These changes are invisible to the human eye but are specifically crafted to generate a decodable radio-frequency (RF) signal along the unshielded copper wires of a video cable.
The attack leverages the physical properties of modern video interfaces:
Key findings from the research:
This attack falls under the MITRE ATT&CK technique for Exfiltration Over Physical Medium (T1052).
TrojPix poses a serious threat to organizations that rely on air-gapping as their primary security control for highly sensitive data. This includes military and intelligence agencies, critical infrastructure operators, financial institutions, and R&D labs. A successful TrojPix attack could lead to the theft of state secrets, intellectual property, or other classified information that was previously thought to be secure. The high speed and long range of the attack make it far more practical than many previous academic air-gap exfiltration techniques.
This is a research project, so there are no real-world IOCs.
Detecting TrojPix is extremely difficult without specialized equipment. However, organizations can look for precursor events:
otherprocess_nameotherStrictly controlling the introduction of any hardware, especially USB drives, is the primary way to prevent the initial malware infection on an air-gapped system.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.