Date: 07/16/2026
Severity: High
Summary
Researchers analyzed TelePuz, a modular Malware-as-a-Service (MaaS) framework distributed through ClickFix social engineering campaigns that trick users into executing malicious commands. The malware employs a multi-stage infection chain with obfuscated loaders, dynamic payload delivery, and anti-analysis techniques to deploy additional malware modules. The report highlights TelePuz's modular architecture, evolving infrastructure, and detection opportunities for identifying ClickFix-driven malware activity.
Indicators of Compromise (IOC) List
Domains/URLs | chubrik.sbs betalegenda.cfd mavpaprokla.lat comicstar.lat bigblower.click momasites.lol momasites.com mamsites.lol hardenedom.shop hardendedom.shop hardendom.shop hardeneddom.shop netblokirovka.asia netblokir.asia netlobikrovka.asia neblokirovka.as kidsko.shop mazaporka.shop hurgadatour.shop krabsburger.xyz zewaplus.club cal.joycedoula.com.br cal.snehamumbai.org |
IP Address | 172.67.165.144 172.67.215.214 |
Hash | 58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed
bf3b4e645a3c0c23f87c55971069014f7424ad14497371ee7567eff68ffaf343
ff791fe1532a2dc3b3c188a71bfd0177f973ef228e4d1dda1db6d3c4b0d62b3e
a955d7e2819d5fa8b5f879cb970e1a1a91327098a7383f2a03a5e1e7e19435e3
9733a3f6409de81271f21993c7f8b9865ac9f5c68c3d4336e91afe6b312477eb
444f1c0c82b3f6cc31d685bac68b20edbde5722ce219af9cceab0c2a6537efc1
|
File paths | %AppData%\\Local\\DCFG\\Runtime\\Themes\\Processor\\etwhost.dll %AppData%\\Roaming\\StateRepository\\Host\\Recovery\\systemreset.dll %AppData%\\Local\\MiravaDevices\\noraxrecovery.dll %ProgramData%\\XeroxPrint\\Temp\\Worker\\grpeng.dll %ProgramData%\\Jundrax\\Tracker\\IrenScanner.dll %ProgramData%\\QualcommRF\\dsp\_agent.dll |
Registry Entry | HKLM\\SYSTEM\\CurrentControlSet\\Services\\CipherAllocator HKLM\\SYSTEM\\CurrentControlSet\\Services\\PilotmasterMast |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "krabsburger.xyz" or url like "krabsburger.xyz" or siteurl like "krabsburger.xyz" or domainname like "netlobikrovka.asia" or url like "netlobikrovka.asia" or siteurl like "netlobikrovka.asia" or domainname like "hardendedom.shop" or url like "hardendedom.shop" or siteurl like "hardendedom.shop" or domainname like "cal.snehamumbai.org" or url like "cal.snehamumbai.org" or siteurl like "cal.snehamumbai.org" or domainname like "mavpaprokla.lat" or url like "mavpaprokla.lat" or siteurl like "mavpaprokla.lat" or domainname like "netblokir.asia" or url like "netblokir.asia" or siteurl like "netblokir.asia" or domainname like "hardenedom.shop" or url like "hardenedom.shop" or siteurl like "hardenedom.shop" or domainname like "hurgadatour.shop" or url like "hurgadatour.shop" or siteurl like "hurgadatour.shop" or domainname like "hardeneddom.shop" or url like "hardeneddom.shop" or siteurl like "hardeneddom.shop" or domainname like "momasites.lol" or url like "momasites.lol" or siteurl like "momasites.lol" or domainname like "bigblower.click" or url like "bigblower.click" or siteurl like "bigblower.click" or domainname like "momasites.com" or url like "momasites.com" or siteurl like "momasites.com" or domainname like "netblokirovka.asia" or url like "netblokirovka.asia" or siteurl like "netblokirovka.asia" or domainname like "mazaporka.shop" or url like "mazaporka.shop" or siteurl like "mazaporka.shop" or domainname like "neblokirovka.as" or url like "neblokirovka.as" or siteurl like "neblokirovka.as" or domainname like "chubrik.sbs" or url like "chubrik.sbs" or siteurl like "chubrik.sbs" or domainname like "kidsko.shop" or url like "kidsko.shop" or siteurl like "kidsko.shop" or domainname like "hardendom.shop" or url like "hardendom.shop" or siteurl like "hardendom.shop" or domainname like "comicstar.lat" or url like "comicstar.lat" or siteurl like "comicstar.lat" or domainname like "mamsites.lol" or url like "mamsites.lol" or siteurl like "mamsites.lol" or domainname like "zewaplus.club" or url like "zewaplus.club" or siteurl like "zewaplus.club" or domainname like "betalegenda.cfd" or url like "betalegenda.cfd" or siteurl like "betalegenda.cfd" or domainname like "cal.joycedoula.com.br" or url like "cal.joycedoula.com.br" or siteurl like "cal.joycedoula.com.br" |
Detection Query 2 : | dstipaddress IN ("172.67.215.214","172.67.165.144") or srcipaddress IN ("172.67.215.214","172.67.165.144") |
Detection Query 3 : | sha256hash IN ("bf3b4e645a3c0c23f87c55971069014f7424ad14497371ee7567eff68ffaf343","58aec6e3835aaf20f7b4a7e308b36a19e7454673a6f71783871e9bcf6cae8eed","ff791fe1532a2dc3b3c188a71bfd0177f973ef228e4d1dda1db6d3c4b0d62b3e","a955d7e2819d5fa8b5f879cb970e1a1a91327098a7383f2a03a5e1e7e19435e3","444f1c0c82b3f6cc31d685bac68b20edbde5722ce219af9cceab0c2a6537efc1","9733a3f6409de81271f21993c7f8b9865ac9f5c68c3d4336e91afe6b312477eb")
|
Detection Query 4 : | datasourcename = "Windows Security" and eventtype = "4663" and objectname IN ("%AppData%\\Local\\DCFG\\Runtime\\Themes\\Processor\\etwhost.dll","%AppData%\\Roaming\\StateRepository\\Host\\Recovery\\systemreset.dll","%AppData%\\Local\\MiravaDevices\\noraxrecovery.dll","%ProgramData%\\XeroxPrint\\Temp\\Worker\\grpeng.dll","%ProgramData%\\Jundrax\\Tracker\\IrenScanner.dll","%ProgramData%\\QualcommRF\\dsp\_agent.dll") |
Detection Query 5 : | technologygroup = "EDR" and objectname IN ("%AppData%\\Local\\DCFG\\Runtime\\Themes\\Processor\\etwhost.dll","%AppData%\\Roaming\\StateRepository\\Host\\Recovery\\systemreset.dll","%AppData%\\Local\\MiravaDevices\\noraxrecovery.dll","%ProgramData%\\XeroxPrint\\Temp\\Worker\\grpeng.dll","%ProgramData%\\Jundrax\\Tracker\\IrenScanner.dll","%ProgramData%\\QualcommRF\\dsp\_agent.dll") |
Detection Query 5 : | datasourcename = "Windows Security" and eventtype = "4657" and objectname IN ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\CipherAllocator","HKLM\\SYSTEM\\CurrentControlSet\\Services\\PilotmasterMast") |
Detection Query 5 : | technologygroup = "EDR" and objectname IN ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\CipherAllocator","HKLM\\SYSTEM\\CurrentControlSet\\Services\\PilotmasterMast") |
Reference:
https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix