Listen to this Post
Introduction: A New Malware Campaign Exploits Human Trust
Cybersecurity researchers have uncovered a new and rapidly evolving malware family named TELEPUZ, a modular threat that has been spreading through websites infected with ClickFix social engineering lures since late April 2026. The malware represents a growing trend in modern cyberattacks where criminals combine technical sophistication with psychological manipulation to trick users into infecting their own devices.
Unlike traditional malware campaigns that rely entirely on exploiting software vulnerabilities, TELEPUZ uses deception. Victims are persuaded to copy and execute malicious commands disguised as browser fixes, CAPTCHA solutions, or fake software updates. This technique allows attackers to bypass many traditional security controls because the initial action appears to come directly from the user.
Security researchers believe TELEPUZ is still under active development. The increasing number of daily malware builds uploaded to public malware analysis platforms suggests that its creators are continuously improving the malware and may eventually expand its distribution through a malware-as-a-service (MaaS) model.
TELEPUZ Malware Campaign Shows the Growing Danger of ClickFix Attacks
Researchers Discover a New Modular Malware Family
Security experts from Elastic Security Labs recently analyzed TELEPUZ, describing it as a lightweight but highly capable malware framework. The malware was designed with modular capabilities, allowing attackers to add new functions or update existing components without rebuilding the entire malware infrastructure.
The discovery highlights how cybercriminal groups are increasingly moving toward flexible malware platforms rather than single-purpose tools. Modular malware gives attackers the ability to adapt quickly, evade detection, and target different types of victims depending on their objectives.
ClickFix Becomes the Entry Point for TELEPUZ Infection
Social Engineering Replaces Traditional Exploits
The TELEPUZ campaign relies heavily on ClickFix, a social engineering technique that has become increasingly common among cybercriminals. Instead of exploiting a vulnerability in Windows or a browser, attackers manipulate users into performing dangerous actions themselves.
Victims typically encounter fake browser warnings, fake CAPTCHA verification pages, or messages claiming that a technical problem requires a manual fix. The website then provides instructions telling the user to copy a command into the Windows Run dialog, PowerShell, or another system tool.
Because the user unknowingly launches the malicious code, attackers can avoid many automated security protections.
Clipboard Hijacking Technique Helps Attackers Deliver Malware
Pastejacking Turns Innocent Actions Into Security Risks
The foundation of ClickFix attacks is clipboard hijacking, also known as pastejacking. Malicious websites automatically place attacker-controlled commands into the victim’s clipboard.
The victim believes they are copying harmless text, but the clipboard actually contains commands that can download and execute malware.
This method takes advantage of normal user behavior. Many people trust instructions shown by websites, especially when they appear to solve common problems such as browser errors or verification steps.
TELEPUZ Infection Chain Begins With PowerShell Execution
Multi-Stage Delivery Makes Detection More Difficult
The TELEPUZ infection process begins after the victim executes the malicious command provided through the ClickFix page.
The command launches PowerShell, which connects to a remote location and downloads a second-stage payload. Researchers discovered that this payload is a Go-based variant of the Vidar information stealer.
Vidar is already known in the cybercrime ecosystem for stealing sensitive information from infected computers, including browser data, credentials, and other valuable files.
After Vidar gains access, it delivers a stager component that launches TELEPUZ itself through the legitimate Windows utility rundll32.exe.
TELEPUZ Uses Advanced Malware Architecture
Lightweight Design Suggests Skilled Developers
Written in the C programming language, TELEPUZ appears to have been created by an experienced developer or a small team with strong malware development skills.
Researchers noted that the malware is compact but includes many advanced features normally found in mature cybercrime tools.
The continuous appearance of new TELEPUZ samples on VirusTotal indicates that developers are actively testing new versions and improving the malware’s capabilities.
Malware Obfuscation Makes Analysis More Difficult
Attackers Add Multiple Layers of Protection
To prevent researchers from analyzing the malware, TELEPUZ uses several anti-analysis techniques.
These include:
Fake instructions designed to waste analyst time
Encrypted strings
Hashed import names
Indirect system calls
These techniques make it harder for security researchers and automated detection systems to understand the malware’s behavior.
TELEPUZ Performs Anti-VM and Geographic Checks
Malware Avoids Researchers and Security Sandboxes
Before activating its full functionality, TELEPUZ checks whether it is running inside a virtual machine or analysis environment.
The malware examines hardware characteristics such as:
Number of CPU cores
Available memory
Disk capacity
Systems with fewer than two CPUs, less than 2GB of RAM, or limited storage may be considered suspicious and cause the malware to stop execution.
The malware also checks the system location and avoids running in certain Commonwealth of Independent States (CIS) countries, a behavior frequently seen in criminal malware operations.
TELEPUZ Searches for Security Research Environments
Sandbox Detection Helps Attackers Stay Hidden
The malware also compares the computer name and username against known sandbox and malware research identifiers.
If it detects signs that security researchers are analyzing the sample, TELEPUZ can immediately terminate itself.
This approach allows attackers to reduce the chances of their malware being captured and studied.
TELEPUZ Attempts to Disable Windows Security Protections
Defense Evasion Gives Attackers Greater Control
After passing its initial checks, TELEPUZ begins disabling security monitoring mechanisms.
Researchers found that the malware attempts to:
Unhook NTDLL security monitoring functions
Disable AMSI protections
Disable Event Tracing for Windows (ETW)
Remove third-party DLL notification callbacks
These actions are designed to reduce visibility and prevent security tools from detecting malicious activity.
Malware Attempts Privilege Escalation and Persistence
TELEPUZ Tries to Gain System-Level Access
After disabling defenses, TELEPUZ performs additional checks for debugging tools before attempting privilege escalation.
The malware searches for trusted Windows processes that can be abused to obtain higher privileges, including:
spoolsv.exe
msdtc.exe
WmiPrvSE.exe
svchost.exe
If successful, TELEPUZ attempts to register itself as a Windows service, allowing it to restart automatically and maintain persistence on the infected machine.
TELEPUZ Creates Victim Identifiers for Tracking
Attackers Build Detailed Infection Records
The malware generates a unique victim identifier by combining information from the infected computer.
This identifier is created using:
Hardware serial numbers
Computer name
Windows installation date
Such identifiers help attackers track infected systems and manage victims through their command-and-control infrastructure.
Malware Uses Multiple Backup Communication Channels
Attackers Prepare Alternative C2 Routes
TELEPUZ communicates with command-and-control servers through WebSockets, optionally protected with TLS encryption.
If the main C2 connection fails, the malware uses several backup techniques to recover its communication address.
Researchers identified four fallback methods:
Extracting encrypted URLs from a Telegram profile description
Extracting encrypted URLs from a Steam Community profile
Querying a DNS record for a specific domain
Retrieving encrypted data from a Polygon blockchain smart contract
Using public platforms and blockchain infrastructure makes infrastructure takedowns more difficult.
TELEPUZ Provides Full Remote Access Capabilities
Malware Gives Operators Extensive Control
Once connected to its command server, TELEPUZ can perform a wide range of malicious operations.
Capabilities include:
File discovery
File modification
Command execution
Process management
Screenshot capture
Keylogging
Browser cookie theft
Downloading additional malware
Running DLL modules
The malware effectively provides attackers with remote control over infected systems.
Browser Theft Capabilities Increase the Threat Level
TELEPUZ Targets Chromium and Firefox Users
One of the most dangerous features of TELEPUZ is its web injection capability.
The malware can interact directly with Chromium-based browsers and Mozilla Firefox by abusing browser automation technologies.
Using Chrome DevTools Protocol and WebDriver BiDi, attackers can steal browser cookies and execute JavaScript inside browsers.
This creates serious risks because stolen cookies can allow attackers to bypass login protections and access accounts without needing passwords.
TELEPUZ Infrastructure Shows Signs of Early Malware-as-a-Service Development
Criminal Ecosystem May Expand Further
Researchers believe TELEPUZ is likely connected to a malware-as-a-service operation.
Although the number of known command-and-control domains remains limited, the large number of malware builds suggests that developers are actively preparing the platform for broader distribution.
The C2 servers identified by researchers were hosted on compromised websites located in Brazil and India, while staging domains were protected through Cloudflare.
What Undercode Say: Deep Analysis
TELEPUZ Represents the Evolution of Human-Focused Cyberattacks
TELEPUZ is another example of how cybercriminals are shifting away from relying only on technical vulnerabilities. The strongest part of this campaign is not the malware itself but the combination of psychology, automation, and modular design.
ClickFix Is Becoming a Major Cybersecurity Concern
The growth of ClickFix attacks shows that attackers have discovered a highly effective method for bypassing security awareness. Many users understand that suspicious files are dangerous, but fewer recognize that copying commands from a website can be equally dangerous.
Malware Development Is Becoming More Professional
TELEPUZ demonstrates features normally associated with advanced malware families. Its developers implemented anti-analysis techniques, persistence mechanisms, and multiple communication channels.
The MaaS Model Lowers the Entry Barrier
If TELEPUZ becomes available through underground malware marketplaces, less-skilled criminals could rent access to its capabilities. This could lead to more widespread infections.
Browser Data Is Becoming More Valuable
Modern attackers increasingly focus on browser cookies, saved sessions, and authentication tokens because they can provide direct access to online accounts.
Blockchain and Social Platforms Are Being Abused
Using Telegram, Steam, DNS, and blockchain infrastructure for fallback communication demonstrates how attackers are adapting to modern internet services.
Security Teams Need Better User-Focused Defense
Traditional endpoint protection remains important, but organizations must also train users to recognize fake instructions and suspicious websites.
TELEPUZ Shows Continuous Malware Innovation
The rapid creation of new builds suggests that attackers are actively experimenting and improving their tools.
Future Campaigns Could Become More Dangerous
If developers add ransomware modules, credential-selling features, or additional delivery methods, TELEPUZ could evolve into a much larger threat.
✅ Confirmed: Elastic Security Labs researchers documented TELEPUZ as a new modular malware family distributed through ClickFix campaigns.
✅ Confirmed: Researchers identified multiple advanced capabilities, including anti-analysis features, browser data theft, persistence methods, and command execution.
❌ Not Confirmed: There is currently no public evidence proving the exact identity of the TELEPUZ developers or confirming a large-scale malware-as-a-service operation.
Prediction
(+1) Positive Prediction
Security researchers will likely disrupt TELEPUZ infrastructure before it becomes a dominant malware family because its communication methods, samples, and infrastructure are already being monitored.
(-1) Negative Prediction
TELEPUZ could become significantly more dangerous if criminals expand its distribution network, integrate ransomware capabilities, or sell access through underground cybercrime markets.
Final Outlook
TELEPUZ represents a warning sign for the cybersecurity community. The malware itself is advanced, but the greater danger comes from the attack method behind it. By combining social engineering, modular malware design, browser theft, and flexible command infrastructure, attackers are creating threats that are harder for both users and security systems to stop.
▶️ Related Video (74% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




