Find notable cyber news and cases, enriched with sources, timelines, and signals.

TELEPUZ modular malware spread via ClickFix lures

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The TELEPUZ malware family is actively spreading through ClickFix lures, raising the risk of credential theft and remote command execution on infected systems. The infection chain uses PowerShell to fetch a second-stage payload and launches telepuz.dll with rundll32.exe. Once running, TELEPUZ can log keystrokes, capture screenshots, extract Chromium cookies, and download additional modules. Its anti-VM checks, AMSI/ETW disabling, and service-installation steps make detection and containment harder.

Related Happenings

ClickFix-based TELEPUZ distribution campaign

Campaign
H score35 First: 16.07.2026 15:50 Last: 16.07.2026 15:50 Sources 1

How related: Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026.

About this happening: The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and...

Millenium RAT Windows malware activity and native C++ rewrite

Malware Activity
H score62 First: 29.06.2026 17:30 Last: 29.06.2026 17:30 Sources 1

About this happening: The Millenium RAT malware activity is spreading across Windows systems, with 60,000+ infections in 160+ countries and a newer native C++ build that helps it ev...

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
H score40 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leavi...

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It...

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
H score38 First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The Vidar Stealer campaign is using ClickFix social engineering and compromised WordPress sites to deliver password-stealing malware, widening risk for infrastructur...

Timeline

  1. 16.07.2026 15:50 1 articles · 2h ago

    Telegram profile t[.]me/chanadarkpart is created

    Campaign Scope Update

    The Telegram profile t[.]me/chanadarkpart used for TELEPUZ fallback C2 discovery was created on April 28, 2026, and the malware can recover an encrypted fallback C2 address from the profile description.

    Show sources
  2. 16.07.2026 15:50 2 articles · 2h ago

    Researchers disclose TELEPUZ spreading through ClickFix lures

    Initial Disclosure

    Cybersecurity researchers identified TELEPUZ as a new modular malware spreading through websites infected with ClickFix lures since late April 2026. The infection chain uses PowerShell to fetch a second-stage payload, drops a Go variant of Vidar Stealer, and launches telepuz.dll with rundll32.exe, while the sample also shows rapid daily build uploads and active development.

    Show sources