TELEPUZ: A Modular MaaS Malware Spreading via ClickFix-Vidar Chains

    Date: 07/16/2026

    Severity: High

    Summary

    Researchers analyzed TelePuz, a modular Malware-as-a-Service (MaaS) framework distributed through ClickFix social engineering campaigns that trick users into executing malicious commands. The malware employs a multi-stage infection chain with obfuscated loaders, dynamic payload delivery, and anti-analysis techniques to deploy additional malware modules. The report highlights TelePuz's modular architecture, evolving infrastructure, and detection opportunities for identifying ClickFix-driven malware activity. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    chubrik.sbs

    betalegenda.cfd

    mavpaprokla.lat

    comicstar.lat

    bigblower.click

    momasites.lol

    momasites.com

    mamsites.lol

    hardenedom.shop

    hardendedom.shop

    hardendom.shop

    hardeneddom.shop

    netblokirovka.asia

    netblokir.asia

    netlobikrovka.asia

    neblokirovka.as

    kidsko.shop

    mazaporka.shop

    hurgadatour.shop

    krabsburger.xyz

    zewaplus.club

    cal.joycedoula.com.br

    cal.snehamumbai.org

    IP Address 

    172.67.165.144

    172.67.215.214

    Hash 

    58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed

    bf3b4e645a3c0c23f87c55971069014f7424ad14497371ee7567eff68ffaf343

    ff791fe1532a2dc3b3c188a71bfd0177f973ef228e4d1dda1db6d3c4b0d62b3e

    a955d7e2819d5fa8b5f879cb970e1a1a91327098a7383f2a03a5e1e7e19435e3

    9733a3f6409de81271f21993c7f8b9865ac9f5c68c3d4336e91afe6b312477eb

    444f1c0c82b3f6cc31d685bac68b20edbde5722ce219af9cceab0c2a6537efc1

    File paths

    %AppData%\\Local\\DCFG\\Runtime\\Themes\\Processor\\etwhost.dll

    %AppData%\\Roaming\\StateRepository\\Host\\Recovery\\systemreset.dll

    %AppData%\\Local\\MiravaDevices\\noraxrecovery.dll

    %ProgramData%\\XeroxPrint\\Temp\\Worker\\grpeng.dll

    %ProgramData%\\Jundrax\\Tracker\\IrenScanner.dll

    %ProgramData%\\QualcommRF\\dsp\_agent.dll

    Registry Entry

    HKLM\\SYSTEM\\CurrentControlSet\\Services\\CipherAllocator

    HKLM\\SYSTEM\\CurrentControlSet\\Services\\PilotmasterMast

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "krabsburger.xyz" or url like "krabsburger.xyz" or siteurl like "krabsburger.xyz" or domainname like "netlobikrovka.asia" or url like "netlobikrovka.asia" or siteurl like "netlobikrovka.asia" or domainname like "hardendedom.shop" or url like "hardendedom.shop" or siteurl like "hardendedom.shop" or domainname like "cal.snehamumbai.org" or url like "cal.snehamumbai.org" or siteurl like "cal.snehamumbai.org" or domainname like "mavpaprokla.lat" or url like "mavpaprokla.lat" or siteurl like "mavpaprokla.lat" or domainname like "netblokir.asia" or url like "netblokir.asia" or siteurl like "netblokir.asia" or domainname like "hardenedom.shop" or url like "hardenedom.shop" or siteurl like "hardenedom.shop" or domainname like "hurgadatour.shop" or url like "hurgadatour.shop" or siteurl like "hurgadatour.shop" or domainname like "hardeneddom.shop" or url like "hardeneddom.shop" or siteurl like "hardeneddom.shop" or domainname like "momasites.lol" or url like "momasites.lol" or siteurl like "momasites.lol" or domainname like "bigblower.click" or url like "bigblower.click" or siteurl like "bigblower.click" or domainname like "momasites.com" or url like "momasites.com" or siteurl like "momasites.com" or domainname like "netblokirovka.asia" or url like "netblokirovka.asia" or siteurl like "netblokirovka.asia" or domainname like "mazaporka.shop" or url like "mazaporka.shop" or siteurl like "mazaporka.shop" or domainname like "neblokirovka.as" or url like "neblokirovka.as" or siteurl like "neblokirovka.as" or domainname like "chubrik.sbs" or url like "chubrik.sbs" or siteurl like "chubrik.sbs" or domainname like "kidsko.shop" or url like "kidsko.shop" or siteurl like "kidsko.shop" or domainname like "hardendom.shop" or url like "hardendom.shop" or siteurl like "hardendom.shop" or domainname like "comicstar.lat" or url like "comicstar.lat" or siteurl like "comicstar.lat" or domainname like "mamsites.lol" or url like "mamsites.lol" or siteurl like "mamsites.lol" or domainname like "zewaplus.club" or url like "zewaplus.club" or siteurl like "zewaplus.club" or domainname like "betalegenda.cfd" or url like "betalegenda.cfd" or siteurl like "betalegenda.cfd" or domainname like "cal.joycedoula.com.br" or url like "cal.joycedoula.com.br" or siteurl like "cal.joycedoula.com.br"

    Detection Query 2 :

    dstipaddress IN ("172.67.215.214","172.67.165.144") or srcipaddress IN ("172.67.215.214","172.67.165.144")

    Detection Query 3 :

    sha256hash IN ("bf3b4e645a3c0c23f87c55971069014f7424ad14497371ee7567eff68ffaf343","58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed","ff791fe1532a2dc3b3c188a71bfd0177f973ef228e4d1dda1db6d3c4b0d62b3e","a955d7e2819d5fa8b5f879cb970e1a1a91327098a7383f2a03a5e1e7e19435e3","444f1c0c82b3f6cc31d685bac68b20edbde5722ce219af9cceab0c2a6537efc1","9733a3f6409de81271f21993c7f8b9865ac9f5c68c3d4336e91afe6b312477eb")

    Detection Query 4 :

    datasourcename = "Windows Security" and eventtype = "4663" and objectname IN ("%AppData%\\Local\\DCFG\\Runtime\\Themes\\Processor\\etwhost.dll","%AppData%\\Roaming\\StateRepository\\Host\\Recovery\\systemreset.dll","%AppData%\\Local\\MiravaDevices\\noraxrecovery.dll","%ProgramData%\\XeroxPrint\\Temp\\Worker\\grpeng.dll","%ProgramData%\\Jundrax\\Tracker\\IrenScanner.dll","%ProgramData%\\QualcommRF\\dsp\_agent.dll")

    Detection Query 5 :

    technologygroup = "EDR" and objectname IN ("%AppData%\\Local\\DCFG\\Runtime\\Themes\\Processor\\etwhost.dll","%AppData%\\Roaming\\StateRepository\\Host\\Recovery\\systemreset.dll","%AppData%\\Local\\MiravaDevices\\noraxrecovery.dll","%ProgramData%\\XeroxPrint\\Temp\\Worker\\grpeng.dll","%ProgramData%\\Jundrax\\Tracker\\IrenScanner.dll","%ProgramData%\\QualcommRF\\dsp\_agent.dll")

    Detection Query 5 :

    datasourcename = "Windows Security" and eventtype = "4657" and objectname IN ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\CipherAllocator","HKLM\\SYSTEM\\CurrentControlSet\\Services\\PilotmasterMast")

    Detection Query 5 :

    technologygroup = "EDR" and objectname IN ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\CipherAllocator","HKLM\\SYSTEM\\CurrentControlSet\\Services\\PilotmasterMast")

    Reference:    

    https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix                    


    Tags

    MalwareMaaSClickFixSocial EngineeringObfuscationVidarStealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags