New TrojPix Attack Leaks Data From Air-Gapped Systems Via Video Cable Emissions

Researchers at Shandong University have demonstrated a new and faster way to extract data from disconnected computers across networks. The method, called TrojPix, modifies the pixels on the screen in ways the eye can’t see, so that the video cable carrying them emits a faint radio signal that a nearby receiver can’t decipher.
But TrojPix only works if the malware is already on the target machine, so it’s a way for stolen data to get out, not a way to get in. In the researchers’ tests, TrojPix reached a maximum result of 8.1 Mbps and reached 208 meters, the two being measured separately rather than together.
Most air-gap hiding channels crawl in bits or kilobits per second; at 8.1 megabits, roughly a megabyte per second, TrojPix can transfer a 100 MB file in less than two minutes. That turns the threat from leaking the password into moving all the files while the monitor appears to be off.
Real-world distance is another matter: the receiver still has to contend with walls, shielding, and noise.
A method, researchers call it invisible pixel shiftthey don’t require administrator rights and there are no hardware changes, they say; the malware that can drag to the screen is enough.
They describe two ways to hide traffic. One is a closed display, which keeps the screen black while streaming. One is blocking the signal from whatever is already on the screen, so content that looks normal carries the payload.
The team reports that it works on nine monitor brands and fifteen video cables, so the result is not tied to a single setup.

Converting a video cable into a hidden transmitter is nothing new. Dating back to decades of research on the evolution of a compromise, known as TEMPEST, and more recently working as TEMPEST-LoRa (CCS 2025), used a similar strategy to achieve off-the-shelf LoRa radios, a common long-range wireless standard.
That came out at 87.5 meters, or 21.6 kbps. TrojPix’s peak throughput is hundreds of times higher, although both receivers are different under different conditions, so the numbers are not a head-to-head comparison.
These emission channels are always the work of the lab. Air-gap attacks that have appeared in the wild, from Stuxnet to Agent.BTZ, jump the gap on USB drives, not radio; TrojPix and its brand show what’s possible, not what’s caught.
Another screen-based channel, PIXHELL, which Hacker News covered in 2024, makes the display itself emit noise to leak data to a PC with air space.
Some have outsourced data to Ethernet through embedded hardware, the type of hardware change TrojPix avoids.
You cannot amend the release yourself. Countermeasures are physical and restrictive: use video over fiber-optic links, which do not carry such a signal, rather than copper; shield wires and chambers where the data confirms, as TEMPEST-rated utilities already do; and above all, keep the malware off the machine in the first place, because without it, TrojPix has nothing to send.
Once an attacker is inside, the channel can quickly release data while the screen remains black.



