TrojPix: Academic Research Shows Air-Gapped PCs Can Leak Data Through Screen Pixels

Researchers at Shandong University describe a covert channel that turns a monitor cable into a radio transmitter, but the technique still needs malware on the target first.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal shot of the back of a desktop monitor in a dim server room, focus on the DisplayPort cable curving into the port, with a soft
Share

Key points

  • Researchers at Shandong University in China have published a technique they call TrojPix that pulls data off computers disconnected from any network.
  • TrojPix works by changing pixels on a monitor in ways a person cannot see, which makes the video cable give off a faint radio signal a nearby receiver can pick up.
  • The attack only works after malware is already running on the target machine, so it is an exfiltration method, not an initial break-in.
  • Air-gapped systems, meaning computers deliberately kept off the internet, are used in defence, industrial control, and intelligence settings where secrecy matters most.
  • The finding fits a long line of academic side-channel research and has not been tied to any real-world intrusion.

Academic researchers have shown a new way to steal secrets from computers that are supposed to be untouchable.

A team at Shandong University in China has published work on a technique they call TrojPix. It quietly changes the colour of pixels on a monitor in patterns the human eye cannot register. Those tiny changes cause the cable between the computer and its screen to give off a faint radio signal. A receiver sitting nearby can catch that signal and turn it back into data.

The target here is the air-gapped computer. An air gap is exactly what it sounds like: a machine kept physically separate from the internet and from any network that touches the internet. Governments, weapons labs, power plants and banks use them to hold their most sensitive material. If the machine cannot talk to the outside world, the thinking goes, an attacker cannot pull data out of it.

TrojPix chips away at that assumption.

Does this mean air-gapped systems are broken?

No, and this is the important caveat. TrojPix is not a way in. It is a way out.

Before any pixels can be tweaked, an attacker has to get their own code running on the target. That usually means a corrupted USB stick, a tampered supply chain, or a person on the inside. Getting malware onto an air-gapped machine in the first place is the hard part, and it is the part TrojPix does not solve. First reported by The Hacker News, the research assumes that step has already happened.

Once the malware is in place, TrojPix gives it a way to whisper the stolen data out through the display cable's electromagnetic leakage. A receiver has to be close enough to pick up that whisper. In the paper, the researchers describe short ranges, not building-to-building distances.

Where does this fit in the wider picture?

TrojPix is the latest in a long line of academic side-channel attacks, which are tricks that read information from the physical byproducts of a computer running: heat, sound, electrical noise, blinking status lights, even the hum of a hard drive. Israeli researcher Mordechai Guri has published dozens of these over the years against air-gapped setups.

None of the techniques in that family have been publicly tied to a real intrusion. That does not make them irrelevant. State-level intelligence services care about them because they only need to work once against the right target. The gap between capability shown in a lab and capability used in the field is often years, and sometimes zero.

For now, TrojPix should be read as a research contribution, not an active threat. Treat it the way defenders treat any new covert channel: interesting, worth tracking, and a reminder that an air gap is a control, not a guarantee.

What should ordinary readers take from this?

If you do not work in a classified facility, nothing. Your laptop is not the target. This research matters for the small number of organisations that rely on physical isolation to protect the most sensitive material they hold, and for the people who defend those environments.

© 2026 Threat Vectr