Elastic Security Labs has identified TELEPUZ, a rapidly evolving and modular malware threat distributed via the CLICKFIX-VIDAR infection chain since late April 2026. The malware is characterized by its lightweight C-based architecture and sophisticated social engineering tactics, where users are manipulated into executing PowerShell commands that facilitate the deployment of the main payload and its various functional modules.
Technically, TELEPUZ employs advanced evasion and persistence mechanisms, including indirect syscalls, custom RC4 string encryption, and multiple UAC bypass techniques to install itself as a Windows service. It features robust anti-analysis checks to detect sandboxes and debuggers, and specifically avoids systems located in Commonwealth of Independent States (CIS) countries.
The malware's command-and-control (C2) strategy is particularly resilient, utilizing decentralized fallback mechanisms such as Telegram profiles, Steam names, and even smart contracts on the Polygon blockchain. With a suite of 36 commands and specialized modules for web injection, keylogging, and browser credential theft, TELEPUZ appears to be an active Malware-as-a-Service (MaaS) in its early growth phase.
Top comments (0)