"The malware is full-featured, lightweight, and modular," Elastic Security Labs researcher Cyril François wrote in a technical report — a concise charge that frames a rapidly developing threat first seen in late April 2026.
How TELEPUZ reaches victims: ClickFix and clipboard hijacking
TELEPUZ is being distributed via websites that host ClickFix lures, a pervasive social‑engineering technique that tricks users into pasting and running malicious commands. ClickFix pages inject script or commands into a victim's clipboard and instruct the user to paste them — a tactic also called pastejacking. In this chain, the clipboard instructions lead to execution of PowerShell, which downloads a second-stage payload and runs it.
The second-stage binary observed by Elastic is a Go variant of the Vidar Stealer, a known tool for harvesting sensitive information; that payload then deploys a stager binary whose job is to launch TELEPUZ's main component ("telepuz.dll") via "rundll32.exe." Both the stager and the main DLL were retrieved from the domain hurgadatour[.]shop in the samples examined.
TELEPUZ architecture, modules, and command-and-control
Telepuz is written in C and described by Elastic as modular and lightweight. The authors note a steady volume of daily builds appearing on VirusTotal and a rapid pace of updates, suggesting active development and the likelihood that the malware will grow in use. Elastic also reports that the build volume is consistent with TELEPUZ being offered under a malware-as-a-service model.
The malware establishes C2 communications over WebSockets, optionally using TLS, and awaits operator instructions. Operators can issue a broad set of commands: file enumeration and manipulation, keystroke logging, arbitrary command execution, process management, screenshot capture, web injection, cookie extraction from Chromium-based browsers, and the ability to download and execute additional executables and DLLs. A dedicated web‑injector module can receive browser-targeted commands directly from C2 to siphon cookies and execute JavaScript by abusing the Chrome DevTools Protocol (CDP) and WebDriver BiDi in Chromium-based browsers and Mozilla Firefox.
Defense evasion, escalation, and persistence techniques
Elastic's analysis documents multiple layers of evasion. TELEPUZ employs obfuscation such as garbage instructions, import name hashing, string encryption, and indirect system calls. It performs anti-VM and geofencing checks — terminating if it finds fewer than two CPUs, less than 2GB of memory, insufficient disk space, or if the system locale identifier (LCID) is within a hard-coded list of Commonwealth of Independent States (CIS) countries. It also compares usernames and computer names against lists of common sandbox and malware‑research identifiers to trigger an immediate halt if a likely analysis environment is detected.
Before launching payload actions, TELEPUZ unhooks NTDLL, disables the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and removes third‑party DllNotification callbacks. It searches for debuggers and crashes them, validates its parent process against a list of known runners (including "rundll32.exe" and "svchost.exe"), and generates a unique victim identifier derived from the hardware serial number, computer name, and the operating system's installation date.
For privilege escalation and persistence, the malware spawns two threads: one to elevate and install itself as a service, the other to initiate C2 communications. The elevation routine uses the COM elevation moniker technique to obtain Administrator rights and then attempts to gain SYSTEM privileges by stealing tokens from processes such as spoolsv.exe, msdtc.exe, WmiPrvSE.exe, or svchost.exe. If successful, TELEPUZ creates registry keys to register itself as a service and instruct Windows to load the malware inside a new svchost.exe instance.
Fallback and hosting: Telegram, Steam, DNS, blockchain, and compromised servers
If initial attempts to contact C2 fail — TELEPUZ will try up to 10 times — the malware tries four fallback methods to discover an alternate C2 address. Researchers observed TELEPUZ extracting an encrypted URL from a Telegram profile description (t[.]me/chanadarkpart; the channel was created on April 28, 2026), from a Steam Community profile, and from a Polygon blockchain smart contract. It can also resolve and decrypt data from a DNS query for codebasecode[.]com. Elastic noted the staging domains are protected by Cloudflare, while the active C2 servers so far have been identified as compromised websites in Brazil and India.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Watch for the behavior patterns Elastic describes — PowerShell stages from ClickFix pastejacking, Go Vidar artifacts followed by telepuz.dll launched via rundll32.exe, WebSocket TLS sessions to unusual hosts, and indicators of NTDLL unhooking, AMSI/ETW disablement, or new services registered to run svchost.exe. The listed fallback mechanisms (Telegram channel t[.]me/chanadarkpart, codebasecode[.]com DNS responses, Steam profiles, and Polygon smart contracts) provide concrete telemetry points to monitor.
- Enterprises and procurement leaders: The steady VirusTotal build volume and Elastic's assessment that TELEPUZ likely operates as a MaaS mean organizations should treat identified staging and C2 domains (including hurgadatour[.]shop and the compromised sites in Brazil and India) as potential indicators of compromise and consider blocking or sinkholing them where feasible. Note that some staging infrastructure is behind Cloudflare.
- End users and IT support: The ClickFix/pastejacking vector is social engineering — do not paste and execute commands provided by web pages purporting to fix browser errors, software updates, or CAPTCHAs. Recognize that simply following clipboard instructions can lead to a multi‑stage infection that delivers data‑stealing and persistence-capable malware.
Elastic Security Labs' assessment — echoed in Cyril François' observation of a "full-featured, lightweight, and modular" tool — portrays TELEPUZ as an actively developed, adaptable threat that combines social engineering (ClickFix), commodity stealers (Vidar variant), and a C2-capable, modular implant. The detailed fallback mechanisms and the use of Cloudflare-protected staging domains underscore both the technical creativity of the operators and the specific telemetry defenders can use now to hunt and block activity.




