ctipilot.ch
← Back to the live brief
NOTABLENATOB2threat

TELEPUZ — a modular Windows RAT/MaaS spread through ClickFix→Vidar chains, executing syscalls from patched trusted DLLs

discovered 2026-07-16 04:40 UTCrun 2026-07-16T0409Z-intel1 sourcesingle-source

Elastic Security Labs is tracking TELEPUZ, a full-featured, fast-evolving modular Windows RAT active since late April 2026 and, on Elastic's telemetry, a likely malware-as-a-service given the daily volume of new builds uploaded to VirusTotal (Elastic Security Labs, 2026-07-16). Delivery runs through a ClickFix social-engineering lure that pastes a PowerShell one-liner into the Run dialog, which downloads a Go variant of the Vidar stealer; Vidar then fetches a small stager (install.exe) that loads the main payload — a 64-bit DLL executed via rundll32 from domain-rotating staging infrastructure (Elastic Security Labs, 2026-07-16).

The payload's headline evasion is an indirect-syscall engine: it maps a fresh copy of ntdll.dll, parses syscall numbers from its export table, then patches the .text section of a randomly chosen legitimate DLL (dfscli.dll, davhlpr.dll, msdtclog.dll, dsrole.dll or secur32.dll) with syscall trampolines so calls execute from inside a trusted-looking module, defeating user-mode API hooking and ETW (Elastic Security Labs, 2026-07-16). It additionally patches AMSI/ETW to neutered return values, unhooks NTDLL, reflectively loads modules and runs downloaded PEs via process hollowing, escalates through two UAC-bypass techniques and SYSTEM token theft, and persists as a service named CipherAllocator. Command-and-control runs over WebSocket (optionally SChannel TLS) at a /cdn/health?sid= URI, with four fallback address-discovery channels — a Telegram channel bio, a Steam profile, a DNS TXT record and a Polygon smart-contract call (also a kill switch). Modules include a keylogger, an infostealer with a Chrome App-Bound-Encryption cookie helper, and a browser web-injection module that uses Chrome DevTools Protocol / Firefox WebDriver BiDi (not code injection) to swap IBAN/amount fields in banking web forms; the malware also runs anti-analysis checks — debugger evasion (ProcessDebugPort/ThreadHideFromDebugger) and sandbox/host geofencing on CIS country, sandbox hostnames and usernames.

Given the significant number of builds uploaded to VirusTotal daily, it is likely that we are dealing with a MaaS.

Finally, the malware selects a random library from a set of standard libraries (dfscli.dll, davhlpr.dll, msdtclog.dll, dsrole.dll, and secur32.dll) and loads it via LoadLibrary. It then patches the library's .text section with the previously generated trampolines, so indirect syscalls are now executed from this location.

Elastic Security Labs 2026-07-16

ATT&CK mapping

16 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Execution TA0002
T1106Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

overlap matrix · ATT&CK page ↗

T1204.004User Execution: Malicious Copy and Paste

An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1543.003Create or Modify System Process: Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1055.012Process Injection: Process Hollowing

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

overlap matrix · ATT&CK page ↗

T1134.001Access Token Manipulation: Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.

overlap matrix · ATT&CK page ↗

T1543.003Create or Modify System Process: Windows Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

overlap matrix · ATT&CK page ↗

T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1055.012Process Injection: Process Hollowing

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

overlap matrix · ATT&CK page ↗

T1134.001Access Token Manipulation: Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.

overlap matrix · ATT&CK page ↗

T1218.011System Binary Proxy Execution: Rundll32

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).

overlap matrix · ATT&CK page ↗

T1497.001Virtualization/Sandbox Evasion: System Checks

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

overlap matrix · ATT&CK page ↗

T1620Reflective Code Loading

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

overlap matrix · ATT&CK page ↗

T1622Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.

overlap matrix · ATT&CK page ↗

Defense Impairment TA0112
T1685Disable or Modify Tools

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1056.001Input Capture: Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.

overlap matrix · ATT&CK page ↗

Discovery TA0007
T1497.001Virtualization/Sandbox Evasion: System Checks

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

overlap matrix · ATT&CK page ↗

T1614.001System Location Discovery: System Language Discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.

overlap matrix · ATT&CK page ↗

T1622Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.

overlap matrix · ATT&CK page ↗

Collection TA0009
T1056.001Input Capture: Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1071.001Application Layer Protocol: Web Protocols

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

overlap matrix · ATT&CK page ↗

T1105Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

overlap matrix · ATT&CK page ↗

T1573.002Encrypted Channel: Asymmetric Cryptography

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.