[savories]

Important to note the jpg is just one part of the malware. It is harmless by itself. It still requires some other file to actually execute it. The jpg just contains further instructions for the backdoor. The jpg is really just an obfuscator.

[pjungwir]

Exactly. The attacker-added PHP code to run preg_replace is still there. But it does look quite innocuous! This really points to why when compromised you need to wipe the box and start over from scratch, not assume you can find all the backdoors by auditing the filesystem.