TELEPUZ: a modular MaaS malware spreading via CLICKFIX-VIDAR chains
TELEPUZ is a modular malware-as-a-service first identified in April 2026 that spreads through CLICKFIX-VIDAR infection chains. It uses advanced evasion techniques such as indirect syscalls, NTDLL unhooking, and anti-VM checks. The malware establishes persistence by installing services and communicates with command-and-control servers via WebSockets. It downloads additional modules for keylogging, credential theft, and web injection. Initial infection relies on social engineering to trick victims into running PowerShell commands that deploy VIDAR, which then delivers TELEPUZ components. Despite limited command-and-control infrastructure, high daily build volumes suggest active development by a small team or individual. No known exploits in the wild or patches are indicated.
AI Analysis
Technical Summary
TELEPUZ is a newly emerged modular malware-as-a-service (MaaS) detected in April 2026, spreading through infection chains involving CLICKFIX and VIDAR malware. It employs sophisticated evasion techniques including indirect system calls, unhooking of NTDLL, and anti-virtual machine checks to avoid detection. Persistence is achieved by installing itself as a service. TELEPUZ communicates with its command-and-control servers using WebSockets and downloads additional malicious modules that enable keylogging, credential theft, and web injection capabilities. The infection vector begins with social engineering tactics that convince victims to execute PowerShell commands, which deploy VIDAR as a second stage, subsequently delivering TELEPUZ components. The malware's infrastructure is limited but daily build volumes are high, indicating ongoing active development and expansion by likely a small team or solo developer offering malware-as-a-service.
Potential Impact
The malware enables attackers to maintain persistent access on infected systems, steal credentials, log keystrokes, and perform web injection attacks. This can lead to significant data compromise and unauthorized access. The use of advanced evasion techniques makes detection and removal more challenging. The infection chain relies on social engineering, increasing the risk of user-targeted compromise. There are no known exploits in the wild beyond the described infection method.
Mitigation Recommendations
No official patches or fixes are available as this is malware rather than a software vulnerability. Mitigation should focus on user education to prevent execution of unsolicited PowerShell commands and social engineering attacks. Endpoint detection and response solutions should be updated to detect indicators of compromise related to TELEPUZ and its infection chain components (CLICKFIX and VIDAR). Network monitoring for suspicious WebSocket communications to known command-and-control domains and IPs may help identify infections. Regular threat intelligence updates including the provided hashes and domains should be integrated into security controls. Since this is a MaaS offering, vigilance against emerging variants is advised.
Indicators of Compromise
- hash: 03fa348b70819296c958c842e7646b3b7efe5fa217ed5098143003c47995a746
- hash: 444f1c0c82b3f6cc31d685bac68b20edbde5722ce219af9cceab0c2a6537efc1
- hash: 580b441e2961739fd26e54e0a0ea08351cb10a51839519fc722cfa39ecd0c954
- hash: 58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed
- hash: 9733a3f6409de81271f21993c7f8b9865ac9f5c68c3d4336e91afe6b312477eb
- hash: a955d7e2819d5fa8b5f879cb970e1a1a91327098a7383f2a03a5e1e7e19435e3
- hash: bf3b4e645a3c0c23f87c55971069014f7424ad14497371ee7567eff68ffaf343
- hash: cee96a38e2dfe31ccf8c3aa7d0d9323e1e3183b2478ba582285822e943d242e9
- hash: ff791fe1532a2dc3b3c188a71bfd0177f973ef228e4d1dda1db6d3c4b0d62b3e
- url: https://memshowblob.forum/api/index.php?a=grab
- domain: hurgadatour.shop
- domain: cal.joycedoula.com.br
- domain: cal.snehamumbai.org
TELEPUZ: a modular MaaS malware spreading via CLICKFIX-VIDAR chains
Description
TELEPUZ is a modular malware-as-a-service first identified in April 2026 that spreads through CLICKFIX-VIDAR infection chains. It uses advanced evasion techniques such as indirect syscalls, NTDLL unhooking, and anti-VM checks. The malware establishes persistence by installing services and communicates with command-and-control servers via WebSockets. It downloads additional modules for keylogging, credential theft, and web injection. Initial infection relies on social engineering to trick victims into running PowerShell commands that deploy VIDAR, which then delivers TELEPUZ components. Despite limited command-and-control infrastructure, high daily build volumes suggest active development by a small team or individual. No known exploits in the wild or patches are indicated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
TELEPUZ is a newly emerged modular malware-as-a-service (MaaS) detected in April 2026, spreading through infection chains involving CLICKFIX and VIDAR malware. It employs sophisticated evasion techniques including indirect system calls, unhooking of NTDLL, and anti-virtual machine checks to avoid detection. Persistence is achieved by installing itself as a service. TELEPUZ communicates with its command-and-control servers using WebSockets and downloads additional malicious modules that enable keylogging, credential theft, and web injection capabilities. The infection vector begins with social engineering tactics that convince victims to execute PowerShell commands, which deploy VIDAR as a second stage, subsequently delivering TELEPUZ components. The malware's infrastructure is limited but daily build volumes are high, indicating ongoing active development and expansion by likely a small team or solo developer offering malware-as-a-service.
Potential Impact
The malware enables attackers to maintain persistent access on infected systems, steal credentials, log keystrokes, and perform web injection attacks. This can lead to significant data compromise and unauthorized access. The use of advanced evasion techniques makes detection and removal more challenging. The infection chain relies on social engineering, increasing the risk of user-targeted compromise. There are no known exploits in the wild beyond the described infection method.
Mitigation Recommendations
No official patches or fixes are available as this is malware rather than a software vulnerability. Mitigation should focus on user education to prevent execution of unsolicited PowerShell commands and social engineering attacks. Endpoint detection and response solutions should be updated to detect indicators of compromise related to TELEPUZ and its infection chain components (CLICKFIX and VIDAR). Network monitoring for suspicious WebSocket communications to known command-and-control domains and IPs may help identify infections. Regular threat intelligence updates including the provided hashes and domains should be integrated into security controls. Since this is a MaaS offering, vigilance against emerging variants is advised.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix"]
- Adversary
- null
- Pulse Id
- 6a584223f539e1c98cd537cb
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash03fa348b70819296c958c842e7646b3b7efe5fa217ed5098143003c47995a746 | — | |
hash444f1c0c82b3f6cc31d685bac68b20edbde5722ce219af9cceab0c2a6537efc1 | — | |
hash580b441e2961739fd26e54e0a0ea08351cb10a51839519fc722cfa39ecd0c954 | — | |
hash58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed | — | |
hash9733a3f6409de81271f21993c7f8b9865ac9f5c68c3d4336e91afe6b312477eb | — | |
hasha955d7e2819d5fa8b5f879cb970e1a1a91327098a7383f2a03a5e1e7e19435e3 | — | |
hashbf3b4e645a3c0c23f87c55971069014f7424ad14497371ee7567eff68ffaf343 | — | |
hashcee96a38e2dfe31ccf8c3aa7d0d9323e1e3183b2478ba582285822e943d242e9 | — | |
hashff791fe1532a2dc3b3c188a71bfd0177f973ef228e4d1dda1db6d3c4b0d62b3e | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://memshowblob.forum/api/index.php?a=grab | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainhurgadatour.shop | — | |
domaincal.joycedoula.com.br | — | |
domaincal.snehamumbai.org | — |
Threat ID: 6a58b34e68715ace43d5393b
Added to database: 07/16/2026, 10:32:46 UTC
Last enriched: 07/16/2026, 13:18:46 UTC
Last updated: 07/16/2026, 18:09:33 UTC
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.