Close Menu
    What's Hot

    Sudanese minister says war has ‘profoundly reshaped’ nation’s demographics | Sudan war News

    Under Tinubu, Nigeria Is Quietly Becoming a Diplomatic Powerhouse

    US targets Brazil with tariffs as relations deteriorate

    Facebook X (Twitter) Instagram
    Trending
    • Sudanese minister says war has ‘profoundly reshaped’ nation’s demographics | Sudan war News
    • Under Tinubu, Nigeria Is Quietly Becoming a Diplomatic Powerhouse
    • US targets Brazil with tariffs as relations deteriorate
    • Perps are distracting Wall Street, not disrupting it
    • New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands
    • SpaceX stock fell below its IPO price for the first time this week. Here are a few reasons why
    • XPeng’s New ‘Budget’ EV Looks Like the Ferrari Luce
    • Anthropic Inches Toward a Mega-I.P.O.
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

    adminBy adminJuly 16, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands
    Share
    Facebook Twitter LinkedIn Pinterest Email

    New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

    Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that’s been spreading via websites infected with ClickFix lures since late April 2026.

    “The malware is full-featured, lightweight, and modular,” Elastic Security Labs researcher Cyril François said in a technical report. “While the number of C2 [command-and-control] domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth.”

    The disclosure makes it the second new threat actor after SCMBANKER to be propagated via ClickFix, a pervasive social engineering attack that tricks users into manually running malicious commands by disguising them as innocent fixes for fake browser errors, software updates, or CAPTCHA verifications.

    Underpinning the technique is an approach called clipboard hijacking. Because web pages using ClickFix inject malicious script or commands into a potential victim’s clipboard and provide instructions to paste and run them, it’s also referred to as pastejacking.

    The ClickFix attack chain linked to TELEPUZ results in the execution of PowerShell, which downloads a second-stage payload from a remote URL and executes it. The payload is a Go variant of the Vidar Stealer, which is known to harvest sensitive data from infected hosts and deploy secondary malware, in this case a stager binary that’s responsible for launching TELEPUZ (“telepuz.dll”) using “rundll32.exe.” Both the stager and main DLL binary are retrieved from “hurgadatour[.]shop” domain.

    Cybersecurity

    Written in C, TELEPUZ is lightweight and modular, and exhibits signs that it was developed by a solo developer or a very small team with expertise in coding. A steady volume of daily VirusTotal submissions associated with the threat suggests that it’s likely offered under a malware-as-a-service (MaaS) model.

    TELEPUZ also incorporates a number of obfuscation techniques, such as garbage instructions that serve no functional purpose, import name hashing to resolve imports, string encryption, and indirect system calls, to thwart analysis efforts.

    It then proceeds to perform anti-VM and geolocation checks by verifying hardware constraints, such as whether the machine has fewer than two CPUs, less than 2GB of memory, or insufficient disk space, and ensuring the system’s locale identifier (LCID) is not among a hard-coded list of Commonwealth of Independent States (CIS) countries.

    On top of that, the malware compares the current username and computer name against a hard-coded list of common sandbox and malware research identifiers. The aim of these checks is to terminate execution immediately if a sandboxed or virtualized environment, or an unauthorized geographic location, is detected.

    Once all the checks pass, TELEPUZ takes steps to disable security monitoring by unhooking NTDLL, turning off Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and removing third-party DllNotification callbacks, which allow an application to receive alerts when a DLL is loaded or unloaded.

    The defense evasion routine is followed by checks to detect the presence of debuggers and crash them. It then fetches the parent process ID and validates the parent process name against a list of known runners, such as “rundll32.exe” and “svchost.exe.” In the final stage, it generates a unique victim identifier that’s derived by concatenating the hardware serial number, the computer name, and the operating system’s installation date.

    “Following successful session identification, the malware spawns two concurrent threads: one dedicated to elevating itself and installing the malware as a service, and the other to initiate the C2 communication loop,” François said. “The installation thread starts by elevating itself as Admin using the COM elevation moniker technique.”

    “Upon achieving elevation and depending on the configuration, TELEPUZ next tries to get SYSTEM privilege by stealing the token of the first found process with one of the following names: spoolsv.exe, msdtc.exe, WmiPrvSE.exe, svchost.exe. Next, it registers itself as a service by creating the necessary registry keys to instruct Windows to load the malware within a new svchost.exe instance.”

    Cybersecurity

    In tandem, the malware attempts to establish contact with its C2 server up to 10 times. If these tries end up in failure, TELEPUZ attempts to fetch the fallback C2 address using four different methods –

    • By extracting an encrypted URL from a Telegram profile’s (“t[.]me/chanadarkpart”) description. The channel was created on April 28, 2026.
    • By extracting an encrypted URL from a Steam Community profile. The URL points to the same C2 address found in the Telegram channel.
    • By running a DNS query for the domain codebasecode[.]com, it extracts and decrypts the fallback C2 address.
    • By extracting an encrypted URL from a Polygon blockchain smart contract.

    TELEPUZ uses the C2 server to establish communication using WebSockets with optional TLS, and awaits instructions from the operator, allowing it to perform a wide range of malicious actions, including file enumeration, file operations, keystroke logging, command execution, process management, screenshot capture, web injection, and cookie extraction for Chromium-based browsers. It can also download and run executables and DLL modules.

    The web injector component can also directly talk to the C2 server to receive and execute commands aimed at Chromium-based browsers and Mozilla Firefox. The commands make it possible to siphon cookies and run arbitrary JavaScript on the browsers by taking advantage of the Chrome DevTools Protocol (CDP) and WebDriver BiDi protocol.

    “Their limited number suggests that what we think is a MaaS is still in its early stages, despite the high volume of builds generated,” Elastic said. “While the staging domains are protected by Cloudflare, concealing their true hosting locations, the C2 servers have been identified as compromised websites located in Brazil and India, respectively.”

    ClickFix Commands data Malware run spreads steal TELEPUZ
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleSpaceX stock fell below its IPO price for the first time this week. Here are a few reasons why
    Next Article Perps are distracting Wall Street, not disrupting it
    admin
    • Website

    Related Posts

    AI Can Find Bugs, But Human Knowledge Still Proves Them

    July 16, 2026

    OpenAI’s GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 Sol

    July 16, 2026

    India Is Moving Fast to Build A.I. Data Centers. A Coastal City May Pay the Price.

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Sudanese minister says war has ‘profoundly reshaped’ nation’s demographics | Sudan war News

    Under Tinubu, Nigeria Is Quietly Becoming a Diplomatic Powerhouse

    US targets Brazil with tariffs as relations deteriorate

    Perps are distracting Wall Street, not disrupting it

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by