TELEPUZ: A New Modular MaaS Malware Spreads Through ClickFix Lures on Compromised Websites

Since late April 2026, compromised websites have been distributing a new modular malware with the curious name “TELEPUZ” through the ClickFix scheme. According to Elastic, the attackers replace a familiar error-fix prompt with instructions that trick the user into pasting a clipboard command into a Windows dialog and running it by hand. The PowerShell command downloads an intermediate file, then a variant of the Vidar infostealer, and finally launches TELEPUZ through the legitimate system utility rundll32.exe.
Careful Reconnaissance Before Detonation
Before going to work, TELEPUZ examines the computer’s characteristics, the system language, the username, and any signs of a virtual environment. If it detects a sandbox or a debugger, the malware simply terminates. Once the checks pass, TELEPUZ disables a portion of Windows’ defensive mechanisms. It then attempts to obtain administrator and SYSTEM privileges, and finally entrenches itself as a service inside the svchost.exe process.
Backup C2 Channels Hidden in Plain Sight
For communication with its command-and-control server, TELEPUZ relies on WebSocket. When necessary, moreover, it hunts for a fallback address through several channels at once. Encrypted links lie hidden in Telegram and Steam profiles, in a domain’s DNS records, and even in a Polygon smart contract. Consequently, this scheme lets the operators retain control over infected devices even after the primary server is blocked.
A Full-Featured Espionage Toolkit
TELEPUZ can browse and modify files, log keystrokes, execute commands, manage processes, capture screenshots, and load additional modules. Furthermore, a dedicated component steals cookies from Chromium-based browsers. That same component can run arbitrary JavaScript in Chromium and Firefox through the browsers’ remote-control interfaces.
An Early-Stage MaaS Operation Under Active Development
Elastic’s researchers believe TELEPUZ is most likely distributed under a malware-as-a-service model. The small number of control domains points to an early-stage project. However, daily builds and rapid updates signal vigorous, ongoing development. The command servers discovered so far were hosted on hacked websites in Brazil and India.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.