TELEPUZ modular malware spread via ClickFix lures
Malware Activity
Summary
Hide ▲
Show ▼
The TELEPUZ malware family is actively spreading through ClickFix lures, raising the risk of credential theft and remote command execution on infected systems. The infection chain uses PowerShell to fetch a second-stage payload and launches telepuz.dll with rundll32.exe. Once running, TELEPUZ can log keystrokes, capture screenshots, extract Chromium cookies, and download additional modules. Its anti-VM checks, AMSI/ETW disabling, and service-installation steps make detection and containment harder.
Related Happenings
ClickFix-based TELEPUZ distribution campaign
Campaign
H score35
First: 16.07.2026 15:50
Last: 16.07.2026 15:50
Sources 1
How related:
Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026.
About this happening:
The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and...
ClickFix-based TELEPUZ distribution campaign
CampaignHow related: Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026.
About this happening: The ClickFix-based TELEPUZ distribution campaign is pushing TELEPUZ through websites infected with lures, increasing the chance that victims run malicious commands and...
Millenium RAT Windows malware activity and native C++ rewrite
Malware Activity
H score62
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The Millenium RAT malware activity is spreading across Windows systems, with 60,000+ infections in 160+ countries and a newer native C++ build that helps it ev...
Millenium RAT Windows malware activity and native C++ rewrite
Malware ActivityAbout this happening: The Millenium RAT malware activity is spreading across Windows systems, with 60,000+ infections in 160+ countries and a newer native C++ build that helps it ev...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
H score40
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leavi...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware ActivityAbout this happening: The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leavi...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The Vidar Stealer campaign is using ClickFix social engineering and compromised WordPress sites to deliver password-stealing malware, widening risk for infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The Vidar Stealer campaign is using ClickFix social engineering and compromised WordPress sites to deliver password-stealing malware, widening risk for infrastructur...
Timeline
-
16.07.2026 15:50 1 articles · 2h ago
Telegram profile t[.]me/chanadarkpart is created
Campaign Scope UpdateThe Telegram profile t[.]me/chanadarkpart used for TELEPUZ fallback C2 discovery was created on April 28, 2026, and the malware can recover an encrypted fallback C2 address from the profile description.
Show sources
- New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands — thehackernews.com — 16.07.2026 15:50
-
16.07.2026 15:50 2 articles · 2h ago
Researchers disclose TELEPUZ spreading through ClickFix lures
Initial DisclosureCybersecurity researchers identified TELEPUZ as a new modular malware spreading through websites infected with ClickFix lures since late April 2026. The infection chain uses PowerShell to fetch a second-stage payload, drops a Go variant of Vidar Stealer, and launches telepuz.dll with rundll32.exe, while the sample also shows rapid daily build uploads and active development.
Show sources
- New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands — thehackernews.com — 16.07.2026 15:50
- New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands — thehackernews.com — 16.07.2026 15:50