Advertisement
Cyber Crime

TELEPUZ Malware Exploits User Trust

A modular, C-based threat is weaponizing social engineering tactics to gain administrative control over compromised Windows systems.

··1 hour ago·2 min read
Abstract blue background with floating symbols
Photo by Egor Komarov on Unsplash
Advertisement

The security landscape is currently navigating the emergence of TELEPUZ, a sophisticated modular malware strain that has been actively circulating since late April 2026. By leveraging ClickFix lures—a pervasive social engineering attack that coerces users into executing malicious scripts under the guise of system repairs—the threat actor effectively bridges the gap between basic deception and deep-level system compromise.

Tactical Execution and Defense Evasion

Once a user is manipulated into running the initial PowerShell command, a secondary payload is retrieved from a remote domain. This payload, a Go-based iteration of the Vidar Stealer, acts as a staging mechanism to drop the main TELEPUZ DLL. The malware is designed with a high degree of modularity, employing defensive maneuvers like import name hashing, string encryption, and indirect system calls to frustrate forensic investigators and automated sandboxes.

Before executing its primary malicious payload, the software conducts a rigorous internal audit of the host environment. It specifically targets security infrastructure by disabling AMSI and ETW, and systematically removing third-party DllNotification callbacks to blind local monitoring tools. If the environment is identified as a sandbox or a virtual machine, or if the system locale falls within specific CIS-region countries, the malware terminates immediately.

Command and Control Infrastructure

The persistence mechanisms within TELEPUZ demonstrate a high degree of engineering, particularly regarding its communication resilience. The malware attempts to reach out to its command-and-control server, utilizing fallback mechanisms that include checking a Steam Community profile and a Polygon blockchain smart contract to locate its operator. This decentralized approach ensures that even if primary infrastructure is disrupted, the malware can regain connectivity.

The malware is full-featured, lightweight, and modular. While the number of C2 [command-and-control] domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth.

— Cyril François, Elastic Security Labs researcher

Quantifiable Operational Statistics

  • TELEPUZ has been observed spreading via ClickFix lures since late April 2026.
  • The malware attempts to contact its C2 server up to 10 times before cycling through fallback addresses.
  • Initial environment checks verify that the host machine meets minimum requirements, specifically seeking at least 2 CPUs and 2GB of memory.

Implications for System Integrity

The rise of TELEPUZ highlights a broader shift in how cybercriminals approach user-level exploitation. By combining high-level social engineering with complex unhooking techniques, attackers are significantly lowering the barrier to achieving SYSTEM-level privileges. For organizations, this necessitates moving beyond standard endpoint detection to monitor for anomalies in process elevation and unexpected registry modifications. Because the threat utilizes legitimate tools like rundll32.exe for execution, defensive strategies must prioritize behavioral analysis over simple file-based signatures.

#malware#telepuz#clickfix#endpoint security#cybercrime

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement