Fast Facts
- TELEPUZ malware is delivered via ClickFix social engineering attacks, utilizing clipboard hijacking to execute PowerShell commands that download and run a modular, obfuscated Go-based stealer and payload from compromised domains.
- It performs anti-analysis checks, disables security tools, and elevates privileges to persist as a Windows service, enabling extensive control for data theft, process management, and browser cookie extraction.
- The malware communicates with resilient, multi-source Command-and-Control servers through WebSockets, facilitating real-time malicious activities like keystroke logging, file operations, and browser injections.
The Threat, Techniques, and Targets
Cybersecurity researchers have identified a new modular malware called TELEPUZ. It has been spreading since late April 2026 through infected websites that use ClickFix lures. The malware is designed to be lightweight and full-featured. Researchers say it is actively being developed and updated rapidly. This makes TELEPUZ likely part of a malware-as-a-service model.
The attack begins when ClickFix tricks users into running malicious commands. These commands are hidden as fixes for fake browser errors or software updates. The method used is called clipboard hijacking, or pastejacking. The malicious script is injected into users’ clipboards, prompting them to paste and run it.
Once run, TELEPUZ uses PowerShell to download a second-stage payload. This payload is a Go version of Vidar Stealer, which collects data from infected devices. TELEPUZ then launches itself using “rundll32.exe” from a malicious DLL file hosted on a compromised website. The payload and DLL are from “hurgadatour[.]shop.”
TELEPUZ was written in C, making it lightweight. It has obfuscation features like string encryption and indirect system calls. The malware also performs checks to avoid virtual machines, sandbox environments, and specific geographic regions like CIS countries. It checks the username, computer name, number of CPUs, available memory, disk space, and system locale. If these checks fail, TELEPUZ stops itself.
Once it passes all checks, TELEPUZ disables security tools. It unhooks system DLLs, turns off AMSI and ETW, and removes notification callbacks. It also tries to detect and crash debuggers. It then identifies the parent process and generates a unique ID based on hardware, device name, and system date.
Finally, TELEPUZ attempts to gain higher privileges. It elevates itself as an administrator and tries to obtain SYSTEM privileges by stealing tokens. It registers as a Windows service and connects to its command-and-control (C2) server. The malware can communicate using WebSockets with TLS options and await commands. It can perform actions like file operations, keystroke logging, process control, and browser cookie theft. It can also download and run additional malware.
The malware communicates with C2 servers that are hosted on compromised websites in Brazil and India. It uses multiple methods to find backup C2 addresses, such as extracting URLs from Telegram and Steam profiles, DNS queries, and blockchain smart contracts.
Impact, Security Implications, and Remediation
TELEPUZ poses serious security risks. Its ability to steal sensitive data, log keystrokes, and run malicious commands can lead to data breaches and loss of confidentiality. The malware’s anti-detection features make it difficult to analyze and remove. Its use of C2 servers in different countries complicates containment efforts. Organizations should be aware that such malware is actively developed and targeted.
The malware’s techniques to disable security tools and evade detection allow it to persist in infected systems. If infected, devices may experience unauthorized data access, credential theft, or system control by attackers. The malware can also download further malicious software, increasing the threat level.
Security teams should seek remediation guidance from their security vendors or relevant authorities. Applying the latest security patches, disabling unneeded services, and monitoring for unusual activity are vital steps. Traffic to known malicious C2 addresses should be blocked. User awareness and caution when interacting with suspicious links or requests are equally important.
In summary, organizations must prioritize detection, incident response, and recovery processes. They should also keep security tools up to date and have an effective malware removal plan in place. For specific remediation steps, consult your security provider or cybersecurity authority.
Discover More Technology Insights
Learn how the Internet of Things (IoT) is transforming everyday life.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
