Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

TELEPUZ: a modular MaaS malware spreading via CLICKFIX-VIDAR chains

0
Medium
Published: 07/16/2026 (07/16/2026, 02:29:55 UTC)
Source: AlienVault OTX General

Description

TELEPUZ is a modular malware-as-a-service first identified in April 2026 that spreads through CLICKFIX-VIDAR infection chains. It uses advanced evasion techniques such as indirect syscalls, NTDLL unhooking, and anti-VM checks. The malware establishes persistence by installing services and communicates with command-and-control servers via WebSockets. It downloads additional modules for keylogging, credential theft, and web injection. Initial infection relies on social engineering to trick victims into running PowerShell commands that deploy VIDAR, which then delivers TELEPUZ components. Despite limited command-and-control infrastructure, high daily build volumes suggest active development by a small team or individual. No known exploits in the wild or patches are indicated.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 13:18:46 UTC

Technical Analysis

TELEPUZ is a newly emerged modular malware-as-a-service (MaaS) detected in April 2026, spreading through infection chains involving CLICKFIX and VIDAR malware. It employs sophisticated evasion techniques including indirect system calls, unhooking of NTDLL, and anti-virtual machine checks to avoid detection. Persistence is achieved by installing itself as a service. TELEPUZ communicates with its command-and-control servers using WebSockets and downloads additional malicious modules that enable keylogging, credential theft, and web injection capabilities. The infection vector begins with social engineering tactics that convince victims to execute PowerShell commands, which deploy VIDAR as a second stage, subsequently delivering TELEPUZ components. The malware's infrastructure is limited but daily build volumes are high, indicating ongoing active development and expansion by likely a small team or solo developer offering malware-as-a-service.

Potential Impact

The malware enables attackers to maintain persistent access on infected systems, steal credentials, log keystrokes, and perform web injection attacks. This can lead to significant data compromise and unauthorized access. The use of advanced evasion techniques makes detection and removal more challenging. The infection chain relies on social engineering, increasing the risk of user-targeted compromise. There are no known exploits in the wild beyond the described infection method.

Mitigation Recommendations

No official patches or fixes are available as this is malware rather than a software vulnerability. Mitigation should focus on user education to prevent execution of unsolicited PowerShell commands and social engineering attacks. Endpoint detection and response solutions should be updated to detect indicators of compromise related to TELEPUZ and its infection chain components (CLICKFIX and VIDAR). Network monitoring for suspicious WebSocket communications to known command-and-control domains and IPs may help identify infections. Regular threat intelligence updates including the provided hashes and domains should be integrated into security controls. Since this is a MaaS offering, vigilance against emerging variants is advised.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix"]
Adversary
null
Pulse Id
6a584223f539e1c98cd537cb
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash03fa348b70819296c958c842e7646b3b7efe5fa217ed5098143003c47995a746
hash444f1c0c82b3f6cc31d685bac68b20edbde5722ce219af9cceab0c2a6537efc1
hash580b441e2961739fd26e54e0a0ea08351cb10a51839519fc722cfa39ecd0c954
hash58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed
hash9733a3f6409de81271f21993c7f8b9865ac9f5c68c3d4336e91afe6b312477eb
hasha955d7e2819d5fa8b5f879cb970e1a1a91327098a7383f2a03a5e1e7e19435e3
hashbf3b4e645a3c0c23f87c55971069014f7424ad14497371ee7567eff68ffaf343
hashcee96a38e2dfe31ccf8c3aa7d0d9323e1e3183b2478ba582285822e943d242e9
hashff791fe1532a2dc3b3c188a71bfd0177f973ef228e4d1dda1db6d3c4b0d62b3e

Url

ValueDescriptionCopy
urlhttps://memshowblob.forum/api/index.php?a=grab

Domain

ValueDescriptionCopy
domainhurgadatour.shop
domaincal.joycedoula.com.br
domaincal.snehamumbai.org

Threat ID: 6a58b34e68715ace43d5393b

Added to database: 07/16/2026, 10:32:46 UTC

Last enriched: 07/16/2026, 13:18:46 UTC

Last updated: 07/16/2026, 18:09:33 UTC

Views: 53

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses