TELEPUZ Malware Uses ClickFix Lures to Drop Vidar Stealer via PowerShell
Elastic Security Labs researcher Cyril François has disclosed a new modular malware family dubbed TELEPUZ that has been proliferating through ClickFix-infected websites since late April 2026. ClickFix is a clipboard-hijacking social engineering technique that tricks users into pasting and executing malicious PowerShell commands disguised as CAPTCHA verifications, browser error fixes, or software updates. TELEPUZ is only the second threat actor—after SCMBANKER—to weaponize this attack vector, underscoring how rapidly adversaries are adopting pastejacking campaigns at scale. Researchers note that a high daily upload volume to VirusTotal and a brisk release cadence point to active development and likely distribution under a malware-as-a-service model.
The infection chain begins when a user follows ClickFix instructions and runs a PowerShell command that fetches a second-stage payload from the domain hurgadatour[.]shop. The payload is a Go-based variant of the Vidar Stealer, a well-known credential and data harvester, which then deploys a stager binary responsible for loading telepuz.dll through rundll32.exe. Written in C and described as lightweight and modular, TELEPUZ incorporates anti-analysis defenses including garbage instructions, import name hashing, string encryption, and indirect NT system calls. Security teams can verify whether suspicious domains like hurgadatour[.]shop are already communicating with endpoints using the WHOIS lookup tool to trace registrant details and hosting history.
Before activating its core functions, TELEPUZ runs a gauntlet of evasion checks: it inspects hardware constraints (fewer than two CPUs, less than 2 GB of RAM, or limited disk space), validates the system's locale identifier against a blocklist of Commonwealth of Independent States countries, and compares the current username and computer name against common sandbox and malware-research strings. If any check fails, the binary terminates immediately. Once execution proceeds, the malware unhooks NTDLL, disables Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and removes security hooks to blind endpoint detection tools. It then establishes command-and-control communication with a small set of remote servers to run arbitrary commands and exfiltrate stolen data.
The TELEPUZ campaign reinforces a broader pattern: stealer families like Vidar are increasingly being chained with custom DLL loaders to extend dwell time and modularity. Defenders should monitor for rundll32.exe spawning from unusual parent processes, audit outbound traffic to newly registered domains, and review PowerShell execution logs for one-liner patterns associated with ClickFix. Users concerned about credential exposure from Vidar-family infections can confirm whether their accounts appear in known collections using the email breach checker, and run the privacy checkup to review broader exposure across their digital footprint.