TELEPUZ: a modular MaaS malware spreading via CLICKFIX-VIDAR chains

TELEPUZ: a modular MaaS malware spreading via CLICKFIX-VIDAR chains
Elastic Security Labs is tracking TELEPUZ, a modular and actively developed threat spreading through a CLICKFIX-VIDAR chain with stage hosting on domains such as hurgadatour[.]shop and C2 infrastructure including cal.joycedoula[.]com[.]br and cal.snehamumbai[.]org. The malware uses WebSockets, indirect syscalls, UAC bypass methods, anti-analysis checks, and multiple downloadable modules including keylogger, stealer, and web injector components. #TELEPUZ #CLICKFIX #VIDAR #hurgadatour #caljoycedoula #calsnehamumbai

Keypoints

  • Elastic Security Labs is monitoring an emerging threat named TELEPUZ that has been active since late April 2026.
  • The infection chain starts with a ClickFix social engineering lure that downloads and executes a second-stage VIDAR Go variant.
  • TELEPUZ is a lightweight, modular, 64-bit Windows DLL with signs of active development and possible MaaS characteristics.
  • The malware uses obfuscation, import hashing, string encryption, indirect syscalls, and anti-analysis checks to resist detection.
  • It can elevate privileges, bypass UAC, steal SYSTEM tokens, install persistence as a service, and communicate with its C2 over WebSockets.
  • TELEPUZ supports multiple fallback C2 discovery methods, including Telegram, Steam profiles, DNS, and Polygon blockchain-based resolution.
  • Additional modules enable capabilities such as keylogging, credential/cookie theft, web injection, screenshotting, and process injection.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – The attack begins when the user is tricked into copying and pasting a command from a malicious webpage, leading to code execution (‘the user visits a malicious web page and is prompted to copy and paste, then execute, a Windows shell command’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell is used to download and run the second stage from the staging URL (‘PowerShell.exe -NoP -w h -ep bypass … DownloadFile’).
  • [T1105 ] Ingress Tool Transfer – TELEPUZ and its stages download payloads, modules, and additional components from remote infrastructure (‘downloads the second stage’, ‘retrieved from the hurgadatour[.]shop domain’).
  • [T1027 ] Obfuscated Files or Information – The malware uses garbage instructions, hashed imports, and encrypted strings to hinder analysis (‘interleaves its actual code with “garbage instructions”’, ‘decrypts strings using a custom RC4 implementation’).
  • [T1027.001 ] Binary Padding – Garbage instructions are inserted to slow reverse engineering (‘interleaves its actual code with “garbage instructions”’).
  • [T1027.009 ] Embedded Payloads – TELEPUZ stores and loads additional modules such as keylogger, stealer, and web injector components (‘downloads additional functional modules from its C2 server’).
  • [T1106 ] Native API – The malware uses direct Windows NT APIs for syscalls, process inspection, and hiding from debuggers (’employs indirect syscalls’, ‘NtQueryInformationProcess’).
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – TELEPUZ patches AMSI and ETW functions to reduce visibility (‘patches the AmsiScanBuffer function’, ‘patches EtwEventWrite, NtTraceEvent’).
  • [T1562.006 ] Impair Defenses: Indicator Blocking – It removes third-party DLL notification callbacks and unhooks NTDLL to interfere with monitoring (‘remove third party DllNotification callbacks’, ‘maps a fresh copy of ntdll.dll’).
  • [T1480.001 ] Execution Guardrails: Environmental Keying – The malware terminates in virtualized or disallowed environments and checks locale and hardware constraints (‘fewer than two CPUs’, ‘locale identifier (LCID) is not among … CIS countries’).
  • [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – It checks CPU, memory, disk space, usernames, computer names, and hypervisor indicators (‘common sandbox and malware research identifiers’).
  • [T1055 ] Process Injection – TELEPUZ supports process hollowing and remote execution via downloads such as DownloadRunPE (‘creates a dllhost.exe process … and performs process hollowing’).
  • [T1036 ] Masquerading – It disguises files, services, and exports to appear legitimate (‘systematically chosen to disguise the library as legitimate software’, ‘service name CipherAllocator’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – It migrates and installs persistence in user and application data locations and service-related registry locations (‘installs persistence’, ‘creates the necessary registry keys’).
  • [T1543.003 ] Create or Modify System Process: Windows Service – TELEPUZ installs itself as a service via svchost.exe (‘registers itself as a service by creating the necessary registry keys’).
  • [T1068 ] Exploitation for Privilege Escalation – The malware attempts to elevate privileges through COM elevation moniker and AppInfo/DebugObjects approaches (‘bypass UAC’).
  • [T1057 ] Process Discovery – It inspects parent process names and running processes to avoid analysis and identify targets (‘verifies the parent process name against a list of known runners’).
  • [T1082 ] System Information Discovery – TELEPUZ derives a victim/session identifier from hardware serial number, computer name, and OS install date (‘combining the hardware serial number, the computer name, and the operating system’s installation date’).
  • [T1090 ] Proxy – The malware uses fallback infrastructure discovery via Telegram, Steam, DNS, and blockchain lookups to reach updated C2 locations (‘fallback C2 address using 4 different methods’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – TELEPUZ communicates with C2 using HTTP/WebSocket and optional TLS (‘establish communication using WebSockets with optional TLS’).
  • [T1095 ] Non-Application Layer Protocol – It establishes a raw TCP socket manually before WebSocket communication (‘manually establishes the connection via a TCP socket’).
  • [T1113 ] Screen Capture – The command list includes Screenshot capability (‘Screenshot’).
  • [T1056.001 ] Input Capture: Keylogging – TELEPUZ can deploy a keylogger module (‘DownloadStartKeyLogger’).
  • [T1555.003 ] Credentials from Web Browsers – It includes a module to extract Chrome cookies and browser data (‘ExtractChromeCookiesUsingDownloadedChromeElevator’).
  • [T1003 ] OS Credential Dumping – The stealer module and token theft functionality indicate credential access (‘StealProcessToken’).
  • [T1070.004 ] File Deletion – The malware deletes itself or downloaded files after migration (‘delete the current sample’).

Indicators of Compromise

  • [Domains ] staging and C2 infrastructure – memshowblob[.]forum, hurgadatour[.]shop, cal.joycedoula[.]com[.]br, cal.snehamumbai[.]org
  • [URLs ] stage download and fallback sources – hxxps://memshowblob[.]forum/api/index.php?a=grab, hxxps://hurgadatour[.]shop/files/telemetriawork/telepuz.dll
  • [IP Addresses ] stage hosting seen in the campaign – 172.67.215[.]214, 172.67.165[.]144
  • [File Names ] payloads and modules – f322a5fa.exe, install.exe, telepuz.dll, chromeelevator.bin
  • [File Hashes (SHA-256) ] referenced samples and modules – 58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed, 03fa348b70819296c958c842e7646b3b7efe5fa217ed5098143003c47995a746, and 4 more hashes
  • [Registry Keys ] persistence and service setup – HKLMSYSTEMCurrentControlSetServicesCipherAllocator, HKLMSYSTEMCurrentControlSetServicesPilotmasterMast
  • [Mutexes ] synchronization objects – cfgmgr_mtx, bginfod_mtx, wfj64_mtx
  • [Paths ] persistence and installation locations – %AppData%LocalDCFGRuntimeThemesProcessoretwhost.dll, %ProgramData%XeroxPrintTempWorkergrpeng.dll
  • [Blockchain Artifacts ] smart contract used for C2 resolution – 0xf55Bea1FdCf1c3ABb39ab92567C09aC1BFf6753E, method selector 0xc3f909d4


Read more: https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix