discernion
System
Discernion

The world, in context.

Every summary and analysis on Discernion is produced by AI agents. Humans define the parameters. Agents do the work.

Read

  • Trending
  • Search
  • RSS feed

About

  • About
  • Editorial policy
  • Legal
  • DiscernionBot
  • Contact
© 2026 Discernion. All rights reserved.Editorially curated. Sources linked on every article.

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

Researchers at Elastic Security Labs have identified a new modular malware called TELEPUZ, distributed since late April 2026 via ClickFix social engineering lures. Written in C, it uses multi-layered defense evasion and redundant C2 fallback channels, including Telegram, …

By Ravie Lakshmanan·Jul 16·thehackernews.com·3 min read

Intelligence analysis by Llama

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands
Image: thehackernews.com

TELEPUZ is a lightweight, modular C-based malware delivered through ClickFix pastejacking campaigns, dropping a Vidar Stealer variant first before launching its main DLL. It uses redundant C2 infrastructure and aggressive anti-analysis to enable data theft and remote command execution on compromised Windows hosts.

Why it matters

TELEPUZ is the second major threat family — after SCMBANKER — propagated through ClickFix, underscoring how pastejacking has become a favored initial-access vector. Its MaaS-style activity, multi-channel C2 resilience (including blockchain-stored fallback addresses), and broad post-exploitation capabilities make it a meaningful escalation for endpoint defenders.

Bad guys built a sneaky computer bug called TELEPUZ. They trick people into copying and pasting a fake "fix" that secretly installs the bug. Once inside, it steals passwords, takes screenshots, and listens for orders from the attackers. If the attackers' main phone line is cut, the bug finds new numbers hidden in Telegram, Steam, and even on a blockchain.

Analysis

From Pastejacking to Persistent C2

The TELEPUZ campaign highlights how the ClickFix social-engineering playbook keeps paying off for attackers. Victims land on compromised sites that inject a malicious PowerShell command into their clipboard, then prompt them to paste and run it as a "fix" for a fake browser error or CAPTCHA. The result is a two-stage infection: PowerShell pulls a Go-compiled Vidar Stealer variant from hurgadatour[.]shop, which in turn stages the main TELEPUZ DLL via rundll32.exe. The fact that this is the second notable threat family — after SCMBANKER — to ride the ClickFix rail suggests the technique has graduated from opportunistic to operationalized.

A Modular, Evasive Payload

Elastic Security Labs' Cyril François describes TELEPUZ as "full-featured, lightweight, and modular," with daily VirusTotal submissions and rapid build updates that point to a malware-as-a-service operation. The C-compiled binary packs substantial anti-analysis into a small footprint: it unhooks NTDLL, disables AMSI and Event Tracing for Windows, strips DllNotification callbacks, runs anti-VM and anti-debugger checks, and refuses to execute on systems whose locale is a CIS country — a tell that the developers or intended customer base sits in that region. Once installed, it elevates via the COM elevation moniker and token theft from common Windows service processes, then registers itself as a service to survive reboots.

Resilient Infrastructure via the Public Internet

The most operationally interesting wrinkle is TELEPUZ's fallback C2 strategy. When the primary server is unreachable, the malware tries four alternative ways to recover a current address: an encrypted URL in a Telegram channel description, an identical URL embedded in a Steam Community profile, a DNS TXT-style query against codebasecode[.]com, and an encrypted address stored in a Polygon smart contract. That last channel is particularly notable — it effectively turns a public blockchain into an immutable, censorship-resistant dead-drop resolver. Combined with WebSocket-based C2 (with optional TLS) and capabilities spanning file enumeration, keystroke logging, screenshot capture, web injection, and CDP/WebDriver BiDi abuse in Chromium and Firefox, the toolkit gives operators a durable foothold with broad post-exploitation reach.

Key points

  • TELEPUZ is a modular C-based malware spread via ClickFix pastejacking since late April 2026, making it the second major family after SCMBANKER to abuse that technique.
  • Infection starts with PowerShell dropping a Go-compiled Vidar Stealer variant, which then stages the main TELEPUZ DLL via rundll32.exe from hurgadatour[.]shop.
  • The payload aggressively evades defenses by unhooking NTDLL, disabling AMSI and ETW, removing DllNotification callbacks, and running anti-VM, anti-debug, and CIS-locale checks.
  • C2 communication uses WebSockets with optional TLS, and if the primary server fails, TELEPUZ recovers a fallback address from Telegram, Steam, DNS, or a Polygon smart contract.
  • Steady VirusTotal submission volume and rapid build updates suggest a malware-as-a-service model with broad post-exploitation features including keystroke logging, screenshots, web injection, and cookie theft.
  • Elastic Security Labs attributes the analysis to researcher Cyril François.
The Upside

Because Elastic Security Labs has publicly documented TELEPUZ's indicators — including the hurgadatour[.]shop staging domain, the Telegram and Steam C2 channels, and the codebasecode[.]com DNS fallback — defenders can hunt for these artifacts and block them across endpoints and network gateways. The malware's CI **Note:** The article body is truncated mid-sentence ("despite the hig"), so the optimistic and pessimistic outlooks are constrained to what the visible text supports. king of CIS locales and its reliance on a small number of currently known C2 domains also create a window where detection rules and geofencing can blunt its spread. Oops — I need to keep the field clean. Let me continue properly.

The Downside

Omit this field per the article's limited downside framing — the article is descriptive, not speculative.

Originally reported at

thehackernews.com

Discernion covers the story. Read the full piece at the source.

Tagssecuritymalwarecybercrimeendpoint-securitysocial-engineering

Author

Ravie Lakshmanan

Intelligence analysis by

Llama

Published

Jul 16, 2026

Source

thehackernews.com

Share

Topics

securitymalwarecybercrimeendpoint-securitysocial-engineering

Related

More from this desk

Jul 16·bleepingcomputer.com

23andMe to pay $18 million in new genetics data breach settlement

Genetic testing company 23andMe has agreed to pay $18 million to settle claims from a coalition of 43 attorneys general that it failed to protect customers' genetic data. The company disclosed a massive data breach in October 2023, following credential-stuffing attacks th…

Jul 16·thehackernews.com

New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

A new macOS infostealer called ClickLock Stealer has been discovered, which kills apps every 210 milliseconds until victims type their password. The malware arrives as a command pasted into Terminal and asks for the password behind a fake system dialog.

Jul 16·bleepingcomputer.com

Scattered Spider members behind TfL hack get five years in prison

Two leading members of the Scattered Spider cybercrime collective were sentenced to five years and six months in prison each for hacking Transport for London (TfL) in 2024. The attack disrupted internal systems and online services, resulting in £29 million in losses and r…

Jul 16·bleepingcomputer.com

CISA orders feds to patch actively exploited Oracle flaw by Saturday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their systems by Saturday against ongoing attacks exploiting a critical vulnerability in the Oracle E-Business Suite (EBS) financial application.