New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands


New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that’s been spreading via websites infected with ClickFix lures since late April 2026.

“The malware is full-featured, lightweight, and modular,” Elastic Security Labs researcher Cyril François said in a technical report. “While the number of C2 [command-and-control] domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth.”

The disclosure makes it the second new threat actor after SCMBANKER to be propagated via ClickFix, a pervasive social engineering attack that tricks users into manually running malicious commands by disguising them as innocent fixes for fake browser errors, software updates, or CAPTCHA verifications.

Underpinning the technique is an approach called clipboard hijacking. Because web pages using ClickFix inject malicious script or commands into a potential victim’s clipboard and provide instructions to paste and run them, it’s also referred to as pastejacking.

The ClickFix attack chain linked to TELEPUZ results in the execution of PowerShell, which downloads a second-stage payload from a remote URL and executes it. The payload is a Go variant of the Vidar Stealer, which is known to harvest sensitive data from infected hosts and deploy secondary malware, in this case a stager binary that’s responsible for launching TELEPUZ (“telepuz.dll”) using “rundll32.exe.” Both the stager and main DLL binary are retrieved from “hurgadatour[.]shop” domain.

Cybersecurity

Written in C, TELEPUZ is lightweight and modular, and exhibits signs that it was developed by a solo developer or a very small team with expertise in coding. A steady volume of daily VirusTotal submissions associated with the threat suggests that it’s likely offered under a malware-as-a-service (MaaS) model.

TELEPUZ also incorporates a number of obfuscation techniques, such as garbage instructions that serve no functional purpose, import name hashing to resolve imports, string encryption, and indirect system calls, to thwart analysis efforts.

It then proceeds to perform anti-VM and geolocation checks by verifying hardware constraints, such as whether the machine has fewer than two CPUs, less than 2GB of memory, or insufficient disk space, and ensuring the system’s locale identifier (LCID) is not among a hard-coded list of Commonwealth of Independent States (CIS) countries.

On top of that, the malware compares the current username and computer name against a hard-coded list of common sandbox and malware research identifiers. The aim of these checks is to terminate execution immediately if a sandboxed or virtualized environment, or an unauthorized geographic location, is detected.

Once all the checks pass, TELEPUZ takes steps to disable security monitoring by unhooking NTDLL, turning off Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and removing third-party DllNotification callbacks, which allow an application to receive alerts when a DLL is loaded or unloaded.

The defense evasion routine is followed by checks to detect the presence of debuggers and crash them. It then fetches the parent process ID and validates the parent process name against a list of known runners, such as “rundll32.exe” and “svchost.exe.” In the final stage, it generates a unique victim identifier that’s derived by concatenating the hardware serial number, the computer name, and the operating system’s installation date.

“Following successful session identification, the malware spawns two concurrent threads: one dedicated to elevating itself and installing the malware as a service, and the other to initiate the C2 communication loop,” François said. “The installation thread starts by elevating itself as Admin using the COM elevation moniker technique.”

“Upon achieving elevation and depending on the configuration, TELEPUZ next tries to get SYSTEM privilege by stealing the token of the first found process with one of the following names: spoolsv.exe, msdtc.exe, WmiPrvSE.exe, svchost.exe. Next, it registers itself as a service by creating the necessary registry keys to instruct Windows to load the malware within a new svchost.exe instance.”

Cybersecurity

In tandem, the malware attempts to establish contact with its C2 server up to 10 times. If these tries end up in failure, TELEPUZ attempts to fetch the fallback C2 address using four different methods –

  • By extracting an encrypted URL from a Telegram profile’s (“t[.]me/chanadarkpart”) description. The channel was created on April 28, 2026.
  • By extracting an encrypted URL from a Steam Community profile. The URL points to the same C2 address found in the Telegram channel.
  • By running a DNS query for the domain codebasecode[.]com, it extracts and decrypts the fallback C2 address.
  • By extracting an encrypted URL from a Polygon blockchain smart contract.

TELEPUZ uses the C2 server to establish communication using WebSockets with optional TLS, and awaits instructions from the operator, allowing it to perform a wide range of malicious actions, including file enumeration, file operations, keystroke logging, command execution, process management, screenshot capture, web injection, and cookie extraction for Chromium-based browsers. It can also download and run executables and DLL modules.

The web injector component can also directly talk to the C2 server to receive and execute commands aimed at Chromium-based browsers and Mozilla Firefox. The commands make it possible to siphon cookies and run arbitrary JavaScript on the browsers by taking advantage of the Chrome DevTools Protocol (CDP) and WebDriver BiDi protocol.

“Their limited number suggests that what we think is a MaaS is still in its early stages, despite the high volume of builds generated,” Elastic said. “While the staging domains are protected by Cloudflare, concealing their true hosting locations, the C2 servers have been identified as compromised websites located in Brazil and India, respectively.”



Source link