Cybersecurity experts have identified a new threat in the form of TELEPUZ, a modular malware spreading through compromised websites using ClickFix tactics since April 2026. This malware employs social engineering strategies to deceive users into executing harmful commands, posing significant risks to data security.
Understanding TELEPUZ’s Mechanism
TELEPUZ operates by leveraging ClickFix, a method where users are tricked into running malicious scripts disguised as legitimate browser fixes or updates. This process, known as pastejacking, involves inserting harmful commands into a user’s clipboard, which are then executed when pasted into a terminal.
Once activated, TELEPUZ initiates a PowerShell command that downloads additional payloads. These payloads, including a Go variant of the Vidar Stealer, are designed to extract sensitive information from the victim’s system. The malware’s primary components are sourced from the hurgadatour[.]shop domain, showcasing its sophisticated deployment methodology.
Technical Features and Evasion Tactics
Constructed in the C programming language, TELEPUZ is both lightweight and versatile, suggesting it may have been developed by a small, skilled team. It employs several obfuscation techniques, such as code encryption and indirect system calls, to mask its activities and avoid detection by security systems.
This malware also performs various checks to evade virtual environments and sandbox detection. It assesses hardware specifications, such as CPU count and memory size, to evade execution in unauthorized settings. Furthermore, it disables security measures by unhooking key system components, ensuring its uninterrupted operation.
Establishing Control and Communication
After confirming a successful infiltration, TELEPUZ escalates its privileges and installs itself as a persistent service. It seeks to gain SYSTEM-level access by impersonating trusted processes, thereby embedding itself deeply within the victim’s system.
The malware attempts to connect with its command-and-control (C2) servers to receive further instructions. If initial contact fails, it uses alternative methods, including extracting encrypted URLs from various online profiles and blockchain contracts, to locate fallback C2 addresses.
TELEPUZ’s capabilities extend to file manipulation, keystroke logging, and browser data extraction, among other malicious activities. Its web injection feature allows direct interaction with browsers to execute commands and exploit vulnerabilities.
Despite its current limited deployment, TELEPUZ’s modular nature and the growing volume of its builds suggest potential expansion. The malware is likely offered as a service, indicating a new wave of organized cybercrime. As cybersecurity measures evolve, continuous vigilance is essential to counteract such threats effectively.
