Researchers reported that TELEPUZ is an emerging modular Windows malware family being distributed through ClickFix social-engineering lures that trick users into executing malicious commands, leading into VIDAR-based infection chains and staged payload delivery. The malware appears to be operated as malware-as-a-service (MaaS) and has shown rapid iteration, with lightweight loaders and DLL-based payloads designed to fetch additional components dynamically while maintaining a relatively small core command-and-control footprint.
Analysis shows TELEPUZ uses WebSocket communications with optional TLS and includes broad post-compromise capabilities such as defense evasion, anti-debugging, anti-VM checks, persistence, privilege escalation, token theft, keylogging, web injection, data theft, and Chromium cookie extraction. Researchers also found fallback C2 resolution through Telegram, Steam, DNS, and the Polygon blockchain, while core C2 infrastructure appears tied to compromised legitimate websites in Brazil and India; defenders were advised to hunt for related domains, IPs, hashes, file paths, network telemetry, and Windows registry service modifications to detect activity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On 2026-07-16, Gurucul published analysis of TELEPUZ as a modular MaaS framework delivered through ClickFix social engineering, highlighting its multi-stage infection chain, obfuscated loaders, dynamic payload delivery, and anti-analysis techniques. The report added practical detection opportunities and indicators including domains, IPs, hashes, file paths, registry artifacts, and detection queries based on telemetry and service modifications.
On 2026-05-09, Elastic Security Labs published a report describing TELEPUZ as an emerging modular malware family with WebSocket-based C2, anti-analysis features, persistence, privilege escalation, token theft, and downloadable modules for data theft and web injection. The report also noted fallback C2 resolution via Telegram, Steam, DNS, and the Polygon blockchain, and assessed the main C2 domains as likely compromised legitimate sites in Brazil and India.
Elastic Security Labs said the TELEPUZ malware family appears to have been active since late April 2026, spreading through a ClickFix-to-VIDAR infection chain. The activity involved a modular Windows malware framework likely operated as malware-as-a-service.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcetrojan-killer.net
Open sourcethehackernews.com
Open sourcecommunity.gurucul.com
Open sourceelastic.co
Open sourceunit42.paloaltonetworks.com
Open sourcecloud.google.com
Open sourcegroup-ib.com
Open sourcelearn.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.