A new modular malware named TELEPUZ has been identified, spreading through websites compromised with ClickFix lures since late April 2026. This malware is lightweight, modular, and under active development, as evidenced by the increasing number of daily submissions to VirusTotal.
ClickFix is a social engineering technique that deceives users into executing malicious commands by presenting them as solutions to fake browser errors, software updates, or CAPTCHA verifications. This method, known as pastejacking, involves injecting malicious scripts into a user’s clipboard and instructing them to paste and run these commands.
In the case of TELEPUZ, the attack begins with the execution of a PowerShell script, which downloads and runs a second-stage payload—a Go variant of the Vidar Stealer. This stealer is designed to harvest sensitive data from infected systems and deploy additional malware. Specifically, it downloads a stager binary that launches TELEPUZ (“telepuz.dll”) using “rundll32.exe.” Both the stager and the main DLL are retrieved from the domain “hurgadatour[.]shop.”
TELEPUZ is written in C and exhibits signs of being developed by a solo developer or a small team with coding expertise. Its modular design and the steady volume of VirusTotal submissions suggest it may be offered as malware-as-a-service (MaaS).
To evade detection, TELEPUZ employs several obfuscation techniques, including the insertion of non-functional instructions, import name hashing to resolve imports, string encryption, and indirect system calls. It also performs anti-virtual machine and geolocation checks by verifying hardware constraints, such as the number of CPUs, available memory, and disk space. Additionally, it ensures the system’s locale identifier (LCID) is not among a hard-coded list of Commonwealth of Independent States (CIS) countries.
The malware further checks the current username and computer name against a list of common sandbox and malware research identifiers. If it detects a sandboxed or virtualized environment, or an unauthorized geographic location, it terminates execution immediately.
Once these checks are passed, TELEPUZ disables security monitoring by unhooking NTDLL, turning off Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and removing third-party DllNotification callbacks. It also detects the presence of debuggers and crashes them. Finally, it generates a unique victim identifier by concatenating hardware serial numbers and other system information.
TELEPUZ’s emergence underscores the evolving sophistication of malware threats and the importance of user vigilance. The use of ClickFix lures highlights the need for users to be cautious when prompted to execute commands or download files from untrusted sources. Organizations should implement robust security measures, including regular software updates, employee training on social engineering tactics, and advanced threat detection systems to mitigate such risks.