ClickFix-based TELEPUZ distribution campaign
Campaign
Summary
Hide ▲
Show ▼
The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and install malware. The infection chain uses PowerShell and rundll32.exe to load telepuz.dll, then enables data theft, cookie extraction, web injection, and remote command execution. The operation has been active since late April 2026 and uses clipboard hijacking/pastejacking to disguise the malicious prompt. Compromised infrastructure and fallback delivery paths make the distribution harder to block.
Related Happenings
TELEPUZ modular malware spread via ClickFix lures
Malware Activity
H score29
First: 16.07.2026 15:50
Last: 16.07.2026 15:50
Sources 1
How related:
Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026.
About this happening:
The TELEPUZ malware family is actively spreading through ClickFix lures, raising the risk of credential theft and remote command execution on infected systems. The...
TELEPUZ modular malware spread via ClickFix lures
Malware ActivityHow related: Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026.
About this happening: The TELEPUZ malware family is actively spreading through ClickFix lures, raising the risk of credential theft and remote command execution on infected systems. The...
ClickLock ClickFix macOS targeting campaign
Campaign
H score33
First: 16.07.2026 15:33
Last: 16.07.2026 15:33
Sources 1
About this happening:
Group-IB reported a ClickLock Stealer macOS campaign using ClickFix paste-a-command lures and coercive app-killing loops to force victims to enter passwords. The o...
ClickLock ClickFix macOS targeting campaign
CampaignAbout this happening: Group-IB reported a ClickLock Stealer macOS campaign using ClickFix paste-a-command lures and coercive app-killing loops to force victims to enter passwords. The o...
ClickLock Stealer macOS forced-interaction infostealer activity
Malware Activity
H score27
First: 16.07.2026 15:33
Last: 16.07.2026 15:33
Sources 1
About this happening:
ClickLock Stealer is a macOS infostealer that uses a ClickFix-style paste into Terminal and a fake system dialog to coerce password entry. Group-IB said the ma...
ClickLock Stealer macOS forced-interaction infostealer activity
Malware ActivityAbout this happening: ClickLock Stealer is a macOS infostealer that uses a ClickFix-style paste into Terminal and a fake system dialog to coerce password entry. Group-IB said the ma...
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
About this happening:
Organizations are being urged to harden defenses against ClickFix on Windows and macOS, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceAbout this happening: Organizations are being urged to harden defenses against ClickFix on Windows and macOS, reducing the chance that social-engineering lures can turn trusted dialogs into...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware Activity
H score27
First: 18.06.2026 19:20
Last: 18.06.2026 19:20
Sources 1
About this happening:
A USB-spreading clipboard-stealing malware family is actively stealing seed phrases, private keys, and wallet addresses from Windows victims, putting cryptocurrenc...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware ActivityAbout this happening: A USB-spreading clipboard-stealing malware family is actively stealing seed phrases, private keys, and wallet addresses from Windows victims, putting cryptocurrenc...
Timeline
-
16.07.2026 15:50 2 articles · 2h ago
Telegram channel is created for TELEPUZ fallback C2 retrieval
Campaign Scope UpdateA Telegram channel at `t[.]me/chanadarkpart` is created and serves as one of TELEPUZ's fallback C2 retrieval paths, with the channel description used to extract an encrypted URL that points to the same C2 address.
Show sources
- New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands — thehackernews.com — 16.07.2026 15:50
- New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands — thehackernews.com — 16.07.2026 15:50
-
16.07.2026 15:50 1 articles · 2h ago
Researchers identify TELEPUZ spreading through ClickFix lures
Initial DisclosureCybersecurity researchers identify TELEPUZ as a new modular malware spreading through websites infected with ClickFix lures since late April 2026. The infection chain uses PowerShell to fetch a second-stage payload, loads `telepuz.dll` through `rundll32.exe`, and includes anti-VM checks, sandbox detection, and defenses evasion such as AMSI and ETW disabling.
Show sources
- New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands — thehackernews.com — 16.07.2026 15:50