Elastic Security Labs is tracking TELEPUZ, a modular and actively developed threat spreading through a CLICKFIX-VIDAR chain with stage hosting on domains such as hurgadatour[.]shop and C2 infrastructure including cal.joycedoula[.]com[.]br and cal.snehamumbai[.]org. The malware uses WebSockets, indirect syscalls, UAC bypass methods, anti-analysis checks, and multiple downloadable modules including keylogger, stealer, and web injector components. #TELEPUZ #CLICKFIX #VIDAR #hurgadatour #caljoycedoula #calsnehamumbai
Keypoints
- Elastic Security Labs is monitoring an emerging threat named TELEPUZ that has been active since late April 2026.
- The infection chain starts with a ClickFix social engineering lure that downloads and executes a second-stage VIDAR Go variant.
- TELEPUZ is a lightweight, modular, 64-bit Windows DLL with signs of active development and possible MaaS characteristics.
- The malware uses obfuscation, import hashing, string encryption, indirect syscalls, and anti-analysis checks to resist detection.
- It can elevate privileges, bypass UAC, steal SYSTEM tokens, install persistence as a service, and communicate with its C2 over WebSockets.
- TELEPUZ supports multiple fallback C2 discovery methods, including Telegram, Steam profiles, DNS, and Polygon blockchain-based resolution.
- Additional modules enable capabilities such as keylogging, credential/cookie theft, web injection, screenshotting, and process injection.
MITRE Techniques
- [T1204.002 ] User Execution: Malicious File â The attack begins when the user is tricked into copying and pasting a command from a malicious webpage, leading to code execution (âthe user visits a malicious web page and is prompted to copy and paste, then execute, a Windows shell commandâ).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell â PowerShell is used to download and run the second stage from the staging URL (âPowerShell.exe -NoP -w h -ep bypass ⌠DownloadFileâ).
- [T1105 ] Ingress Tool Transfer â TELEPUZ and its stages download payloads, modules, and additional components from remote infrastructure (âdownloads the second stageâ, âretrieved from the hurgadatour[.]shop domainâ).
- [T1027 ] Obfuscated Files or Information â The malware uses garbage instructions, hashed imports, and encrypted strings to hinder analysis (âinterleaves its actual code with âgarbage instructionsââ, âdecrypts strings using a custom RC4 implementationâ).
- [T1027.001 ] Binary Padding â Garbage instructions are inserted to slow reverse engineering (âinterleaves its actual code with âgarbage instructionsââ).
- [T1027.009 ] Embedded Payloads â TELEPUZ stores and loads additional modules such as keylogger, stealer, and web injector components (âdownloads additional functional modules from its C2 serverâ).
- [T1106 ] Native API â The malware uses direct Windows NT APIs for syscalls, process inspection, and hiding from debuggers (âemploys indirect syscallsâ, âNtQueryInformationProcessâ).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools â TELEPUZ patches AMSI and ETW functions to reduce visibility (âpatches the AmsiScanBuffer functionâ, âpatches EtwEventWrite, NtTraceEventâ).
- [T1562.006 ] Impair Defenses: Indicator Blocking â It removes third-party DLL notification callbacks and unhooks NTDLL to interfere with monitoring (âremove third party DllNotification callbacksâ, âmaps a fresh copy of ntdll.dllâ).
- [T1480.001 ] Execution Guardrails: Environmental Keying â The malware terminates in virtualized or disallowed environments and checks locale and hardware constraints (âfewer than two CPUsâ, âlocale identifier (LCID) is not among ⌠CIS countriesâ).
- [T1497.001 ] Virtualization/Sandbox Evasion: System Checks â It checks CPU, memory, disk space, usernames, computer names, and hypervisor indicators (âcommon sandbox and malware research identifiersâ).
- [T1055 ] Process Injection â TELEPUZ supports process hollowing and remote execution via downloads such as DownloadRunPE (âcreates a dllhost.exe process ⌠and performs process hollowingâ).
- [T1036 ] Masquerading â It disguises files, services, and exports to appear legitimate (âsystematically chosen to disguise the library as legitimate softwareâ, âservice name CipherAllocatorâ).
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â It migrates and installs persistence in user and application data locations and service-related registry locations (âinstalls persistenceâ, âcreates the necessary registry keysâ).
- [T1543.003 ] Create or Modify System Process: Windows Service â TELEPUZ installs itself as a service via svchost.exe (âregisters itself as a service by creating the necessary registry keysâ).
- [T1068 ] Exploitation for Privilege Escalation â The malware attempts to elevate privileges through COM elevation moniker and AppInfo/DebugObjects approaches (âbypass UACâ).
- [T1057 ] Process Discovery â It inspects parent process names and running processes to avoid analysis and identify targets (âverifies the parent process name against a list of known runnersâ).
- [T1082 ] System Information Discovery â TELEPUZ derives a victim/session identifier from hardware serial number, computer name, and OS install date (âcombining the hardware serial number, the computer name, and the operating systemâs installation dateâ).
- [T1090 ] Proxy â The malware uses fallback infrastructure discovery via Telegram, Steam, DNS, and blockchain lookups to reach updated C2 locations (âfallback C2 address using 4 different methodsâ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â TELEPUZ communicates with C2 using HTTP/WebSocket and optional TLS (âestablish communication using WebSockets with optional TLSâ).
- [T1095 ] Non-Application Layer Protocol â It establishes a raw TCP socket manually before WebSocket communication (âmanually establishes the connection via a TCP socketâ).
- [T1113 ] Screen Capture â The command list includes Screenshot capability (âScreenshotâ).
- [T1056.001 ] Input Capture: Keylogging â TELEPUZ can deploy a keylogger module (âDownloadStartKeyLoggerâ).
- [T1555.003 ] Credentials from Web Browsers â It includes a module to extract Chrome cookies and browser data (âExtractChromeCookiesUsingDownloadedChromeElevatorâ).
- [T1003 ] OS Credential Dumping â The stealer module and token theft functionality indicate credential access (âStealProcessTokenâ).
- [T1070.004 ] File Deletion â The malware deletes itself or downloaded files after migration (âdelete the current sampleâ).
Indicators of Compromise
- [Domains ] staging and C2 infrastructure â memshowblob[.]forum, hurgadatour[.]shop, cal.joycedoula[.]com[.]br, cal.snehamumbai[.]org
- [URLs ] stage download and fallback sources â hxxps://memshowblob[.]forum/api/index.php?a=grab, hxxps://hurgadatour[.]shop/files/telemetriawork/telepuz.dll
- [IP Addresses ] stage hosting seen in the campaign â 172.67.215[.]214, 172.67.165[.]144
- [File Names ] payloads and modules â f322a5fa.exe, install.exe, telepuz.dll, chromeelevator.bin
- [File Hashes (SHA-256) ] referenced samples and modules â 58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed, 03fa348b70819296c958c842e7646b3b7efe5fa217ed5098143003c47995a746, and 4 more hashes
- [Registry Keys ] persistence and service setup â HKLMSYSTEMCurrentControlSetServicesCipherAllocator, HKLMSYSTEMCurrentControlSetServicesPilotmasterMast
- [Mutexes ] synchronization objects â cfgmgr_mtx, bginfod_mtx, wfj64_mtx
- [Paths ] persistence and installation locations â %AppData%LocalDCFGRuntimeThemesProcessoretwhost.dll, %ProgramData%XeroxPrintTempWorkergrpeng.dll
- [Blockchain Artifacts ] smart contract used for C2 resolution â 0xf55Bea1FdCf1c3ABb39ab92567C09aC1BFf6753E, method selector 0xc3f909d4
Read more: https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix