Full Report
Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026. "The malware is full-featured, lightweight, and modular," Elastic Security Labs researcher Cyril François said in a technical report. "While the number of C2 [command-and-control] domains is currently small, the daily
Analysis Summary
# Tool/Technique: TELEPUZ
## Overview
TELEPUZ is a sophisticated, modular malware-as-a-service (MaaS) discovered in 2026. It is a full-featured and lightweight C-based malware typically distributed via social engineering "ClickFix" lures. Its primary purpose includes data theft, system persistence, and remote command execution.
## Technical Details
- **Type:** Malware Family (Modular Backdoor / Infostealer)
- **Platform:** Windows
- **Capabilities:** Command execution, data exfiltration, defense evasion, and persistence.
- **First Seen:** late April 2026
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (ClickFix lures)
- **TA0002 - Execution**
- T1059.001 - PowerShell
- T1204.002 - User Execution: Malicious File (Pastejacking)
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (AMSI/ETW disabling)
- T1112 - Modify Registry
- T1497 - Virtualization/Sandbox Evasion
- T1106 - Native API (Indirect syscalls)
- T1027 - Obfuscation (Import name hashing, garbage instructions)
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- **TA0011 - Command and Control**
- T1071.001 - Web Protocols: Hypertext Transfer Protocol
## Functionality
### Core Capabilities
- **Social Engineering (ClickFix):** Utilizes "Pastejacking" where victims are tricked into pasting malicious PowerShell commands into their terminal under the guise of fixing browser errors or software updates.
- **Modular Architecture:** Uses a multi-stage approach, often involving a Go-based Vidar Stealer variant as an intermediary stager to deploy the final TELEPUZ DLL.
- **System Profiling:** Generates a unique victim ID using hardware serial numbers, computer names, and OS installation dates.
- **C2 Communication:** Establishes a persistent loop with command-and-control servers for receiving instructions and exfiltrating data.
### Advanced Features
- **Sophisticated Evasion:** Employs indirect system calls and import hashing to bypass EDR/AV monitoring.
- **Anti-Analysis:** Includes garbage instructions to confuse disassemblers and debugger-detection routines designed to crash analysis tools.
- **Environmental Checks:** Performs strict hardware checks (CPU count, RAM, Disk space) and geolocation filtering (avoiding CIS countries/LCIDs) to ensure it is not running in a sandbox or on an unintended target.
- **Security Disabling:** Actively unpatches NTDLL, disables AMSI and ETW, and removes DLL notification callbacks to hide its activity from security software.
## Indicators of Compromise
- **File Names:** `telepuz.dll`, `rundll32.exe` (as a runner)
- **Network Indicators:**
- `hurgadatour[.]shop`
- `telepuz-c2-domain[.]example` (Note: Defanged)
- **Behavioral Indicators:**
- PowerShell execution originating from a browser process.
- Unusual `rundll32.exe` activity calling exported functions from dropped DLLs in temp directories.
- Presence of new, unauthorized Windows Services.
## Associated Threat Actors
- Unknown (Current evidence points to a solo developer or small team operating a Malware-as-a-Service model).
## Detection Methods
- **Signature-based:** Monitoring for the specific import hashing patterns and unique "garbage instruction" sequences in the C-based binary.
- **Behavioral:**
- Alerting on PowerShell "paste" activity (`ctrl+v` into terminal followed by `enter` via browser-driven lures).
- Monitoring for the disabling of AMSI or ETW (e.g., memory patching of `AmsiScanBuffer`).
- Detection of unauthorized calls to `LdrRegisterDllNotification`.
## Mitigation Strategies
- **User Training:** Educate users on the risks of copying and pasting commands from websites into PowerShell or CMD.
- **Endpoint Hardening:**
- Enable PowerShell Constrained Language Mode.
- Implement Attack Surface Reduction (ASR) rules to block process creations from Office or browsers.
- **Access Control:** Restrict the ability of standard users to create or modify system services.
## Related Tools/Techniques
- **Vidar Stealer:** Often used as a secondary payload or delivery mechanism.
- **SCMBANKER:** Another malware family observed using similar ClickFix/social engineering techniques.
- **ClickFix / Pastejacking:** The underlying social engineering framework.