Does this means this is malware vehiculated by jpg?
In short, no.
According to the linked analysis, the attacker* took a Windows executable, XOR-'encrypted' it (to stop it from being recognised as an executable), and changed the file name to 'icon.png'.
The thing is, that executable can only be run on the victim' s system if the hostile java code is present too. It's not like you view/download some picture file and that's what compromises your system.
As always, use NoScript, make sure java is not installed, and preferably both.
*The technical analysis looks credible but, as far as blaming China, their evidence doesn't seem to go further than, 'well, China has something to gain from doing this'. Sure they do but they're not alone in that respect.