TELEPUZ Malware Spreads via ClickFix Pastejacking Attacks

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Elastic Security Labs researcher Cyril François disclosed TELEPUZ, a modular C-based malware with signs of solo or small-team development, likely offered under a malware-as-a-service model given high daily VirusTotal build volumes.
- ClickFix uses clipboard hijacking (pastejacking) to trick users into pasting and running malicious PowerShell commands disguised as browser fixes, CAPTCHA verifications, or software updates.
- The ClickFix-to-TELEPUZ chain downloads a Go variant of Vidar Stealer from "hurgadatour[.]shop," which deploys TELEPUZ ("telepuz.dll") via rundll32.exe as a second-stage stager.
- TELEPUZ performs anti-VM, geolocation (excluding CIS countries), and sandbox checks — terminating on machines with fewer than 2 CPUs or under 2GB RAM — then disables AMSI, ETW, and NTDLL hooks before escalating to Admin and SYSTEM privileges and registering as a Windows service.
- If its initial C2 fails, the malware retrieves fallback addresses from four resilient sources: a Telegram channel ("t[.]me/chanadarkpart"), a Steam Community profile, a DNS query to codebasecode[.]com, and a Polygon blockchain smart contract.
- TELEPUZ uses Chrome DevTools Protocol and WebDriver BiDi to extract cookies and execute JavaScript on Chromium and Firefox browsers, alongside keystroke logging, screenshot capture, file enumeration, and arbitrary command execution.
- The identified C2 servers are compromised websites located in Brazil and India, protected by Cloudflare at the staging domain layer.
Why it matters: TELEPUZ uses browser DevTools protocols (CDP, WebDriver BiDi) to siphon cookies from Chromium and Firefox and inject arbitrary JavaScript — putting authenticated web sessions and crypto wallets at direct risk. Its fallback C2 chain hidden across Telegram, Steam, DNS, and a Polygon smart contract means defenders must disrupt four separate infrastructure layers to fully sever attacker control, a takedown complexity rarely seen in current ClickFix-borne malware.



