TELEPUZ is an emerging modular Windows malware family assessed to be under active development and likely operated as a malware-as-a-service offering. It has been observed since late April 2026 spreading through ClickFix social-engineering chains in which victims are tricked into executing malicious PowerShell commands. In documented intrusions, a VIDAR stage is used to retrieve and launch TELEPUZ components, including a stager and a DLL-based main payload executed through rundll32.exe.
The malware is a lightweight C-based framework built around remote control, persistence, and modular post-compromise functionality. TELEPUZ establishes persistence by installing itself as a Windows service and is designed to migrate into user-writable application-data locations when needed. It communicates with command-and-control infrastructure over WebSockets, optionally protected with TLS, and supports fallback command-and-control resolution through multiple external channels. Reported command support includes remote command execution, file enumeration and transfer, process management, screenshot capture, malware updating, and module loading.
TELEPUZ incorporates extensive defense-evasion and anti-analysis features. Reported techniques include anti-virtualization checks, geofencing against CIS-region locales, sandbox-identifier checks, string encryption, import hashing, indirect syscalls, NTDLL unhooking, AMSI and ETW disabling, removal of third-party DLL notification callbacks, and anti-debugging logic intended to disrupt analysis. It also validates expected parent processes and can terminate when execution conditions do not match operator requirements.
The framework supports credential and data theft through downloadable or integrated modules. Reported capabilities include keylogging, cookie and session theft from Chromium-based browsers, browser-focused web injection, arbitrary JavaScript execution in Chromium-based browsers and Firefox, and theft of browser credentials and wallet-related data. Observed web-injection behavior has been oriented toward interception and manipulation of financial web sessions.
TELEPUZ also includes privilege-escalation functionality. Reported behavior includes elevation via COM-based UAC bypass techniques and attempts to obtain SYSTEM privileges through token theft from privileged Windows processes. Additional post-exploitation functionality includes process hollowing and delivery of further payloads, meaning suspected TELEPUZ infections should be treated as full host compromises.
The malware targets Windows systems and has been associated with ClickFix-driven compromises delivered through infected or compromised websites. Its combination of social-engineering delivery, modular architecture, credential and session theft, persistence, and remote operator control makes it a flexible intrusion platform suitable for follow-on theft and broader post-exploitation activity.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Elastic describes modules or commands for data theft, keylogging, browser web injection, file operations, process control, privilege changes, and command execution.
The ClickFix attack chain linked to TELEPUZ results in the execution of PowerShell, which downloads a second-stage payload from a remote URL and executes it.
The commands make it possible to siphon cookies and run arbitrary JavaScript on the browsers by taking advantage of the Chrome DevTools Protocol (CDP) and WebDriver BiDi protocol.
Upon achieving elevation and depending on the configuration, TELEPUZ next tries to get SYSTEM privilege by stealing the token of the first found process with one of the following names: spoolsv.exe, msdtc.exe, WmiPrvSE.exe, svchost.exe.
copy itself into an %AppData% location when needed, and install itself as a service
TELEPUZ also incorporates a number of obfuscation techniques, such as garbage instructions that serve no functional purpose, import name hashing to resolve imports, string encryption, and indirect system calls, to thwart analysis efforts.
TELEPUZ employs standard module and import name hashing to resolve its imports, which are dynamically loaded upon each invocation.
TELEPUZ decrypts strings using a custom RC4 implementation, using constants that vary between samples.
the observed chain begins with a ClickFix page that asks the user to run a hidden PowerShell command
Upon achieving elevation and depending on the configuration, TELEPUZ next tries to get SYSTEM privilege by stealing the token of the first found process with one of the following names: spoolsv.exe, msdtc.exe, WmiPrvSE.exe, svchost.exe.
Elastic also reports a mutex named cfgmgr_mtx , anti-VM checks, CIS-region locale checks, indirect syscalls, string encryption, and WebSocket-based C2 communication.
Elastic also reports a mutex named cfgmgr_mtx , anti-VM checks, CIS-region locale checks
If a debugger is identified, the malware calls the Sleep function with an INFINITE parameter.
Elastic describes modules or commands for data theft, keylogging, browser web injection
Elastic describes modules or commands for data theft, keylogging, browser web injection
TELEPUZ uses the C2 server to establish communication... allowing it to perform a wide range of malicious actions, including... process management...
TELEPUZ uses the C2 server to establish communication... allowing it to perform a wide range of malicious actions, including file enumeration, file operations...
Elastic also reports a mutex named cfgmgr_mtx , anti-VM checks, CIS-region locale checks, indirect syscalls, string encryption, and WebSocket-based C2 communication.
Elastic also reports a mutex named cfgmgr_mtx , anti-VM checks, CIS-region locale checks
Elastic describes modules or commands for data theft, keylogging, browser web injection
Elastic describes modules or commands for data theft, keylogging, browser web injection
TELEPUZ uses the C2 server to establish communication... allowing it to perform a wide range of malicious actions, including... web injection...
TELEPUZ uses the C2 server to establish communication... allowing it to perform a wide range of malicious actions, including... screenshot capture...
By running a DNS query for the domain codebasecode[.]com, it extracts and decrypts the fallback C2 address.
One reported command downloads a file named f322a5fa.exe into the user’s temporary folder from memshowblob(dot)forum
If these tries end up in failure, TELEPUZ attempts to fetch the fallback C2 address using four different methods - By extracting an encrypted URL from a Telegram profile's description... a Steam Community profile... by running a DNS query for the domain codebasecode[.]com... and from a Polygon blockchain smart contract.
42 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular Windows malware family delivered via ClickFix-style social engineering pages. It is downloaded after a VIDAR stage and supports theft, persistence, remote command execution, keylogging, browser web injection, file operations, process control, privilege changes, service installation, and WebSocket-based C2 communication.
TELEPUZ is a lightweight, modular Windows malware written in C that uses extensive anti-analysis and defense-evasion techniques, installs itself as a service, communicates with C2 over WebSockets, and supports capabilities including file operations, keystroke logging, command execution, screenshot capture, web injection, and cookie theft from Chromium-based browsers and Firefox.
TelePuz is a modular Malware-as-a-Service framework delivered via ClickFix social engineering. It uses a multi-stage infection chain with obfuscated loaders, dynamic payload delivery, and anti-analysis techniques to deploy additional malware modules.
TELEPUZ is a modular Windows malware family, likely offered as MaaS, delivered in observed cases via ClickFix and VIDAR. It uses a stager plus DLL payload architecture, installs persistence as a Windows service, performs anti-VM and anti-debugging checks, unhooks NTDLL, patches AMSI and ETW, uses indirect syscalls, communicates with C2 over WebSockets with optional TLS, and supports commands for file operations, process execution, privilege escalation, token theft, screenshots, keylogging, stealing data, cookie extraction, web injection, module loading, and process hollowing.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.