VYPR
researchPublished Jul 16, 2026· 2 sources

New TELEPUZ Malware Leverages ClickFix Lures for Data Theft and Command Execution

A new modular malware named TELEPUZ is spreading via websites infected with ClickFix lures, designed to steal data and execute commands remotely.

Cybersecurity researchers have identified a new modular malware dubbed TELEPUZ, which has been actively spreading since late April 2026 through websites compromised with ClickFix lures. This malware is characterized by its lightweight, full-featured, and modular design, suggesting active development and potential for growth, according to Elastic Security Labs.

TELEPUZ is the second known threat to be propagated via ClickFix, a social engineering tactic that deceives users into manually executing malicious commands by presenting them as fixes for fake errors or updates. This method, also known as pastejacking, relies on clipboard hijacking, where malicious scripts are injected into a user's clipboard.

The attack chain initiated by ClickFix with TELEPUZ involves the execution of PowerShell, which then downloads and runs a second-stage payload. This payload, a Go variant of the Vidar Stealer, is designed to harvest sensitive data and deploy additional malware. In this case, it launches the TELEPUZ stager binary, which in turn executes the main TELEPUZ DLL.

Written in C, TELEPUZ exhibits characteristics of development by a solo coder or a small, skilled team. The consistent daily submissions of TELEPUZ builds to VirusTotal indicate it might be offered as a malware-as-a-service (MaaS). The malware employs several obfuscation techniques, including garbage instructions, import name hashing, string encryption, and indirect system calls, to hinder analysis.

Before proceeding, TELEPUZ performs anti-virtualization and geolocation checks. It verifies hardware constraints like CPU count, memory, and disk space, and checks the system's locale identifier against a list of Commonwealth of Independent States (CIS) countries. It also compares usernames and computer names against known sandbox identifiers to detect and terminate execution in suspicious environments.

TELEPUZ actively evades security measures by unhooking NTDLL, disabling Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and removing DllNotification callbacks. It also attempts to crash any detected debuggers before validating its parent process against a list of known runners like 'rundll32.exe' and 'svchost.exe'. A unique victim identifier is generated using hardware serial number, computer name, and OS installation date.

Upon successful session identification, TELEPUZ elevates its privileges using COM elevation moniker techniques to gain administrator rights, and potentially SYSTEM privileges by stealing tokens from processes like 'spoolsv.exe' or 'svchost.exe'. It then registers itself as a service, embedding itself within a new 'svchost.exe' instance for persistence.

Communication with the command-and-control (C2) server is attempted multiple times, with fallback methods including extracting encrypted URLs from Telegram and Steam profiles, DNS queries, and even encrypted URLs from Polygon blockchain smart contracts. Once connected via WebSockets, TELEPUZ can perform extensive malicious actions, including file operations, keystroke logging, command execution, and data exfiltration from browsers, and can download and execute additional modules.

This new report from CERT-UA details a specific evolution of the ClickFix lure, where Sandworm actors are now prompting victims to execute a PowerShell command directly, rather than simply clicking a link. This technique bypasses traditional CAPTCHA verification and directly initiates malware deployment, including the GhettoVibe and ScoutCurl tools, on compromised Ukrainian systems.

Synthesized by Vypr AI