Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

The Hacker News by The Hacker News
July 16, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that’s been spreading via websites infected with ClickFix lures since late April 2026.

“The malware is full-featured, lightweight, and modular,” Elastic Security Labs researcher Cyril François said in a technical report. “While the number of C2 [command-and-control] domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth.”

The disclosure makes it the second new threat actor after SCMBANKER to be propagated via ClickFix, a pervasive social engineering attack that tricks users into manually running malicious commands by disguising them as innocent fixes for fake browser errors, software updates, or CAPTCHA verifications.

Underpinning the technique is an approach called clipboard hijacking. Because web pages using ClickFix inject malicious script or commands into a potential victim’s clipboard and provide instructions to paste and run them, it’s also referred to as pastejacking.

The ClickFix attack chain linked to TELEPUZ results in the execution of PowerShell, which downloads a second-stage payload from a remote URL and executes it. The payload is a Go variant of the Vidar Stealer, which is known to harvest sensitive data from infected hosts and deploy secondary malware, in this case a stager binary that’s responsible for launching TELEPUZ (“telepuz.dll”) using “rundll32.exe.” Both the stager and main DLL binary are retrieved from “hurgadatour[.]shop” domain.

Written in C, TELEPUZ is lightweight and modular, and exhibits signs that it was developed by a solo developer or a very small team with expertise in coding. A steady volume of daily VirusTotal submissions associated with the threat suggests that it’s likely offered under a malware-as-a-service (MaaS) model.

TELEPUZ also incorporates a number of obfuscation techniques, such as garbage instructions that serve no functional purpose, import name hashing to resolve imports, string encryption, and indirect system calls, to thwart analysis efforts.

It then proceeds to perform anti-VM and geolocation checks by verifying hardware constraints, such as whether the machine has fewer than two CPUs, less than 2GB of memory, or insufficient disk space, and ensuring the system’s locale identifier (LCID) is not among a hard-coded list of Commonwealth of Independent States (CIS) countries.

On top of that, the malware compares the current username and computer name against a hard-coded list of common sandbox and malware research identifiers. The aim of these checks is to terminate execution immediately if a sandboxed or virtualized environment, or an unauthorized geographic location, is detected.

Once all the checks pass, TELEPUZ takes steps to disable security monitoring by unhooking NTDLL, turning off Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and removing third-party DllNotification callbacks, which allow an application to receive alerts when a DLL is loaded or unloaded.

The defense evasion routine is followed by checks to detect the presence of debuggers and crash them. It then fetches the parent process ID and validates the parent process name against a list of known runners, such as “rundll32.exe” and “svchost.exe.” In the final stage, it generates a unique victim identifier that’s derived by concatenating the hardware serial number, the computer name, and the operating system’s installation date.

“Following successful session identification, the malware spawns two concurrent threads: one dedicated to elevating itself and installing the malware as a service, and the other to initiate the C2 communication loop,” François said. “The installation thread starts by elevating itself as Admin using the COM elevation moniker technique.”

“Upon achieving elevation and depending on the configuration, TELEPUZ next tries to get SYSTEM privilege by stealing the token of the first found process with one of the following names: spoolsv.exe, msdtc.exe, WmiPrvSE.exe, svchost.exe. Next, it registers itself as a service by creating the necessary registry keys to instruct Windows to load the malware within a new svchost.exe instance.”

In tandem, the malware attempts to establish contact with its C2 server up to 10 times. If these tries end up in failure, TELEPUZ attempts to fetch the fallback C2 address using four different methods –

  • By extracting an encrypted URL from a Telegram profile’s (“t[.]me/chanadarkpart”) description. The channel was created on April 28, 2026.
  • By extracting an encrypted URL from a Steam Community profile. The URL points to the same C2 address found in the Telegram channel.
  • By running a DNS query for the domain codebasecode[.]com, it extracts and decrypts the fallback C2 address.
  • By extracting an encrypted URL from a Polygon blockchain smart contract.

TELEPUZ uses the C2 server to establish communication using WebSockets with optional TLS, and awaits instructions from the operator, allowing it to perform a wide range of malicious actions, including file enumeration, file operations, keystroke logging, command execution, process management, screenshot capture, web injection, and cookie extraction for Chromium-based browsers. It can also download and run executables and DLL modules.

The web injector component can also directly talk to the C2 server to receive and execute commands aimed at Chromium-based browsers and Mozilla Firefox. The commands make it possible to siphon cookies and run arbitrary JavaScript on the browsers by taking advantage of the Chrome DevTools Protocol (CDP) and WebDriver BiDi protocol.

“Their limited number suggests that what we think is a MaaS is still in its early stages, despite the high volume of builds generated,” Elastic said. “While the staging domains are protected by Cloudflare, concealing their true hosting locations, the C2 servers have been identified as compromised websites located in Brazil and India, respectively.”



Source link

The Hacker News

The Hacker News

Next Post
Joget White Label Offers System Integrators a Faster Path to Market with Enterprise AI Solutions Under Their Own Brand

Joget White Label Offers System Integrators a Faster Path to Market with Enterprise AI Solutions Under Their Own Brand

Recommended.

Bitcoin gets slashed in half. What’s behind the crypto’s existential crisis

Bitcoin gets slashed in half. What’s behind the crypto’s existential crisis

February 6, 2026
Analysis of job vacancies shows earnings boost for AI skills | Computer Weekly

Analysis of job vacancies shows earnings boost for AI skills | Computer Weekly

June 3, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio