TELEPUZ Malware Emerges as a New Modular Threat Using ClickFix Attacks to Steal Data and Control Victims + Video

Listen to this Post

Featured ImageIntroduction: A New Malware Campaign Exploits Human Trust

Cybersecurity researchers have uncovered a new and rapidly evolving malware family named TELEPUZ, a modular threat that has been spreading through websites infected with ClickFix social engineering lures since late April 2026. The malware represents a growing trend in modern cyberattacks where criminals combine technical sophistication with psychological manipulation to trick users into infecting their own devices.

Unlike traditional malware campaigns that rely entirely on exploiting software vulnerabilities, TELEPUZ uses deception. Victims are persuaded to copy and execute malicious commands disguised as browser fixes, CAPTCHA solutions, or fake software updates. This technique allows attackers to bypass many traditional security controls because the initial action appears to come directly from the user.

Security researchers believe TELEPUZ is still under active development. The increasing number of daily malware builds uploaded to public malware analysis platforms suggests that its creators are continuously improving the malware and may eventually expand its distribution through a malware-as-a-service (MaaS) model.

TELEPUZ Malware Campaign Shows the Growing Danger of ClickFix Attacks

Researchers Discover a New Modular Malware Family

Security experts from Elastic Security Labs recently analyzed TELEPUZ, describing it as a lightweight but highly capable malware framework. The malware was designed with modular capabilities, allowing attackers to add new functions or update existing components without rebuilding the entire malware infrastructure.

The discovery highlights how cybercriminal groups are increasingly moving toward flexible malware platforms rather than single-purpose tools. Modular malware gives attackers the ability to adapt quickly, evade detection, and target different types of victims depending on their objectives.

ClickFix Becomes the Entry Point for TELEPUZ Infection

Social Engineering Replaces Traditional Exploits

The TELEPUZ campaign relies heavily on ClickFix, a social engineering technique that has become increasingly common among cybercriminals. Instead of exploiting a vulnerability in Windows or a browser, attackers manipulate users into performing dangerous actions themselves.

Victims typically encounter fake browser warnings, fake CAPTCHA verification pages, or messages claiming that a technical problem requires a manual fix. The website then provides instructions telling the user to copy a command into the Windows Run dialog, PowerShell, or another system tool.

Because the user unknowingly launches the malicious code, attackers can avoid many automated security protections.

Clipboard Hijacking Technique Helps Attackers Deliver Malware

Pastejacking Turns Innocent Actions Into Security Risks

The foundation of ClickFix attacks is clipboard hijacking, also known as pastejacking. Malicious websites automatically place attacker-controlled commands into the victim’s clipboard.

The victim believes they are copying harmless text, but the clipboard actually contains commands that can download and execute malware.

This method takes advantage of normal user behavior. Many people trust instructions shown by websites, especially when they appear to solve common problems such as browser errors or verification steps.

TELEPUZ Infection Chain Begins With PowerShell Execution

Multi-Stage Delivery Makes Detection More Difficult

The TELEPUZ infection process begins after the victim executes the malicious command provided through the ClickFix page.

The command launches PowerShell, which connects to a remote location and downloads a second-stage payload. Researchers discovered that this payload is a Go-based variant of the Vidar information stealer.

Vidar is already known in the cybercrime ecosystem for stealing sensitive information from infected computers, including browser data, credentials, and other valuable files.

After Vidar gains access, it delivers a stager component that launches TELEPUZ itself through the legitimate Windows utility rundll32.exe.

TELEPUZ Uses Advanced Malware Architecture

Lightweight Design Suggests Skilled Developers

Written in the C programming language, TELEPUZ appears to have been created by an experienced developer or a small team with strong malware development skills.

Researchers noted that the malware is compact but includes many advanced features normally found in mature cybercrime tools.

The continuous appearance of new TELEPUZ samples on VirusTotal indicates that developers are actively testing new versions and improving the malware’s capabilities.

Malware Obfuscation Makes Analysis More Difficult

Attackers Add Multiple Layers of Protection

To prevent researchers from analyzing the malware, TELEPUZ uses several anti-analysis techniques.

These include:

Fake instructions designed to waste analyst time

Encrypted strings

Hashed import names

Indirect system calls

These techniques make it harder for security researchers and automated detection systems to understand the malware’s behavior.

TELEPUZ Performs Anti-VM and Geographic Checks

Malware Avoids Researchers and Security Sandboxes

Before activating its full functionality, TELEPUZ checks whether it is running inside a virtual machine or analysis environment.

The malware examines hardware characteristics such as:

Number of CPU cores

Available memory

Disk capacity

Systems with fewer than two CPUs, less than 2GB of RAM, or limited storage may be considered suspicious and cause the malware to stop execution.

The malware also checks the system location and avoids running in certain Commonwealth of Independent States (CIS) countries, a behavior frequently seen in criminal malware operations.

TELEPUZ Searches for Security Research Environments

Sandbox Detection Helps Attackers Stay Hidden

The malware also compares the computer name and username against known sandbox and malware research identifiers.

If it detects signs that security researchers are analyzing the sample, TELEPUZ can immediately terminate itself.

This approach allows attackers to reduce the chances of their malware being captured and studied.

TELEPUZ Attempts to Disable Windows Security Protections

Defense Evasion Gives Attackers Greater Control

After passing its initial checks, TELEPUZ begins disabling security monitoring mechanisms.

Researchers found that the malware attempts to:

Unhook NTDLL security monitoring functions

Disable AMSI protections

Disable Event Tracing for Windows (ETW)

Remove third-party DLL notification callbacks

These actions are designed to reduce visibility and prevent security tools from detecting malicious activity.

Malware Attempts Privilege Escalation and Persistence

TELEPUZ Tries to Gain System-Level Access

After disabling defenses, TELEPUZ performs additional checks for debugging tools before attempting privilege escalation.

The malware searches for trusted Windows processes that can be abused to obtain higher privileges, including:

spoolsv.exe

msdtc.exe

WmiPrvSE.exe

svchost.exe

If successful, TELEPUZ attempts to register itself as a Windows service, allowing it to restart automatically and maintain persistence on the infected machine.

TELEPUZ Creates Victim Identifiers for Tracking

Attackers Build Detailed Infection Records

The malware generates a unique victim identifier by combining information from the infected computer.

This identifier is created using:

Hardware serial numbers

Computer name

Windows installation date

Such identifiers help attackers track infected systems and manage victims through their command-and-control infrastructure.

Malware Uses Multiple Backup Communication Channels

Attackers Prepare Alternative C2 Routes

TELEPUZ communicates with command-and-control servers through WebSockets, optionally protected with TLS encryption.

If the main C2 connection fails, the malware uses several backup techniques to recover its communication address.

Researchers identified four fallback methods:

Extracting encrypted URLs from a Telegram profile description

Extracting encrypted URLs from a Steam Community profile

Querying a DNS record for a specific domain

Retrieving encrypted data from a Polygon blockchain smart contract

Using public platforms and blockchain infrastructure makes infrastructure takedowns more difficult.

TELEPUZ Provides Full Remote Access Capabilities

Malware Gives Operators Extensive Control

Once connected to its command server, TELEPUZ can perform a wide range of malicious operations.

Capabilities include:

File discovery

File modification

Command execution

Process management

Screenshot capture

Keylogging

Browser cookie theft

Downloading additional malware

Running DLL modules

The malware effectively provides attackers with remote control over infected systems.

Browser Theft Capabilities Increase the Threat Level

TELEPUZ Targets Chromium and Firefox Users

One of the most dangerous features of TELEPUZ is its web injection capability.

The malware can interact directly with Chromium-based browsers and Mozilla Firefox by abusing browser automation technologies.

Using Chrome DevTools Protocol and WebDriver BiDi, attackers can steal browser cookies and execute JavaScript inside browsers.

This creates serious risks because stolen cookies can allow attackers to bypass login protections and access accounts without needing passwords.

TELEPUZ Infrastructure Shows Signs of Early Malware-as-a-Service Development

Criminal Ecosystem May Expand Further

Researchers believe TELEPUZ is likely connected to a malware-as-a-service operation.

Although the number of known command-and-control domains remains limited, the large number of malware builds suggests that developers are actively preparing the platform for broader distribution.

The C2 servers identified by researchers were hosted on compromised websites located in Brazil and India, while staging domains were protected through Cloudflare.

What Undercode Say: Deep Analysis

TELEPUZ Represents the Evolution of Human-Focused Cyberattacks

TELEPUZ is another example of how cybercriminals are shifting away from relying only on technical vulnerabilities. The strongest part of this campaign is not the malware itself but the combination of psychology, automation, and modular design.

ClickFix Is Becoming a Major Cybersecurity Concern

The growth of ClickFix attacks shows that attackers have discovered a highly effective method for bypassing security awareness. Many users understand that suspicious files are dangerous, but fewer recognize that copying commands from a website can be equally dangerous.

Malware Development Is Becoming More Professional

TELEPUZ demonstrates features normally associated with advanced malware families. Its developers implemented anti-analysis techniques, persistence mechanisms, and multiple communication channels.

The MaaS Model Lowers the Entry Barrier

If TELEPUZ becomes available through underground malware marketplaces, less-skilled criminals could rent access to its capabilities. This could lead to more widespread infections.

Browser Data Is Becoming More Valuable

Modern attackers increasingly focus on browser cookies, saved sessions, and authentication tokens because they can provide direct access to online accounts.

Blockchain and Social Platforms Are Being Abused

Using Telegram, Steam, DNS, and blockchain infrastructure for fallback communication demonstrates how attackers are adapting to modern internet services.

Security Teams Need Better User-Focused Defense

Traditional endpoint protection remains important, but organizations must also train users to recognize fake instructions and suspicious websites.

TELEPUZ Shows Continuous Malware Innovation

The rapid creation of new builds suggests that attackers are actively experimenting and improving their tools.

Future Campaigns Could Become More Dangerous

If developers add ransomware modules, credential-selling features, or additional delivery methods, TELEPUZ could evolve into a much larger threat.

✅ Confirmed: Elastic Security Labs researchers documented TELEPUZ as a new modular malware family distributed through ClickFix campaigns.

✅ Confirmed: Researchers identified multiple advanced capabilities, including anti-analysis features, browser data theft, persistence methods, and command execution.

❌ Not Confirmed: There is currently no public evidence proving the exact identity of the TELEPUZ developers or confirming a large-scale malware-as-a-service operation.

Prediction

(+1) Positive Prediction

Security researchers will likely disrupt TELEPUZ infrastructure before it becomes a dominant malware family because its communication methods, samples, and infrastructure are already being monitored.

(-1) Negative Prediction

TELEPUZ could become significantly more dangerous if criminals expand its distribution network, integrate ransomware capabilities, or sell access through underground cybercrime markets.

Final Outlook

TELEPUZ represents a warning sign for the cybersecurity community. The malware itself is advanced, but the greater danger comes from the attack method behind it. By combining social engineering, modular malware design, browser theft, and flexible command infrastructure, attackers are creating threats that are harder for both users and security systems to stop.

▶️ Related Video (74% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube