TELEPUZ Malware Spreads via ClickFix Social Engineering, Targets Windows with Modular Capabilities and Resilient C2 Infrastructure
Since the end of April 2026, compromised websites have been distributing a new modular malware called TELEPUZ through the ClickFix social-engineering technique. Attackers replace the usual browser-error remediation steps with instructions that prompt the victim to copy a command to the clipboard and manually paste and execute it in a Windows Run dialog or PowerShell window.
The delivered PowerShell command first fetches an intermediate loader, which in turn installs a variant of the Vidar infostealer before launching the main TELEPUZ payload through the legitimate Windows utility rundll32.exe.
Before performing any malicious actions, TELEPUZ inspects the target system’s hardware characteristics, operating-system language, username, and indicators of virtualization or debugging tools. If it detects a sandbox or analysis environment, the malware terminates itself to avoid detection.
After passing these checks, TELEPUZ disables selected Windows security mechanisms, attempts to obtain administrator and SYSTEM privileges, and establishes persistence by registering itself as a service hosted inside the legitimate svchost.exe process.
Communication with the attacker’s command-and-control server is performed over WebSocket. When the primary server becomes unavailable, the malware can locate backup addresses through several independent channels: encrypted links hidden in Telegram and Steam profiles, specially crafted DNS records, and data stored inside a Polygon blockchain smart contract. This multi-layered fallback design helps maintain control over infected devices even after the main infrastructure is taken down.
TELEPUZ provides a broad set of post-exploitation features, including the ability to browse and modify files, capture keystrokes, execute arbitrary commands, manage running processes, take screenshots, and download additional modules. A dedicated component extracts cookies from Chromium-based browsers and can inject arbitrary JavaScript into both Chromium and Firefox by abusing remote-debugging interfaces.
Elastic researchers assess that TELEPUZ is likely distributed under a malware-as-a-service model. Although the number of active command-and-control domains remains relatively small, the frequent release of daily builds and rapid updates indicates ongoing, active development. The observed C2 servers have been hosted on compromised websites located in Brazil and India.