2026-07-16 · view entry permalink →
TELEPUZ — a modular Windows RAT/MaaS spread through ClickFix→Vidar chains, executing syscalls from patched trusted DLLs
Elastic Security Labs is tracking TELEPUZ, a full-featured, fast-evolving modular Windows RAT active since late April 2026 and, on Elastic's telemetry, a likely malware-as-a-service given the daily volume of new builds uploaded to VirusTotal (Elastic Security Labs, 2026-07-16). Delivery runs through a ClickFix social-engineering lure that pastes a PowerShell one-liner into the Run dialog, which downloads a Go variant of the Vidar stealer; Vidar then fetches a small stager (install.exe) that loads the main payload — a 64-bit DLL executed via rundll32 from domain-rotating staging infrastructure (Elastic Security Labs, 2026-07-16).
The payload's headline evasion is an indirect-syscall engine: it maps a fresh copy of ntdll.dll, parses syscall numbers from its export table, then patches the .text section of a randomly chosen legitimate DLL (dfscli.dll, davhlpr.dll, msdtclog.dll, dsrole.dll or secur32.dll) with syscall trampolines so calls execute from inside a trusted-looking module, defeating user-mode API hooking and ETW (Elastic Security Labs, 2026-07-16). It additionally patches AMSI/ETW to neutered return values, unhooks NTDLL, reflectively loads modules and runs downloaded PEs via process hollowing, escalates through two UAC-bypass techniques and SYSTEM token theft, and persists as a service named CipherAllocator. Command-and-control runs over WebSocket (optionally SChannel TLS) at a /cdn/health?sid= URI, with four fallback address-discovery channels — a Telegram channel bio, a Steam profile, a DNS TXT record and a Polygon smart-contract call (also a kill switch). Modules include a keylogger, an infostealer with a Chrome App-Bound-Encryption cookie helper, and a browser web-injection module that uses Chrome DevTools Protocol / Firefox WebDriver BiDi (not code injection) to swap IBAN/amount fields in banking web forms; the malware also runs anti-analysis checks — debugger evasion (ProcessDebugPort/ThreadHideFromDebugger) and sandbox/host geofencing on CIS country, sandbox hostnames and usernames.
Given the significant number of builds uploaded to VirusTotal daily, it is likely that we are dealing with a MaaS.
Finally, the malware selects a random library from a set of standard libraries (dfscli.dll, davhlpr.dll, msdtclog.dll, dsrole.dll, and secur32.dll) and loads it via LoadLibrary. It then patches the library's .text section with the previously generated trampolines, so indirect syscalls are now executed from this location.