Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

Elastic: TELEPUZ ClickFix stealer confirmed since April

Elastic Security Labs pins TELEPUZ, a modular C stealer spreading via ClickFix since late April, likely MaaS, with a Go Vidar variant as stage two.

Elastic: TELEPUZ ClickFix stealer confirmed since April
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap airgap · Published · 3 min read

Confirmed: Elastic Security Labs disclosed today, July 16, 2026 a modular C infostealer tracked as TELEPUZ, spreading through ClickFix lures since late April 2026 and — on the volume of daily VirusTotal submissions — likely operating as malware-as-a-service. Confidence on the disclosure, the first-seen date, and the technical characteristics below: as-reported by Elastic.

The full technical writeup is at elastic.co/security-labs. This piece characterizes what was disclosed; the primary source carries the indicator detail.

Timeline

  • April 28, 2026 — the Telegram channel Elastic ties to the operator’s C2-fallback infrastructure is created. Confidence: as-reported.
  • Late April 2026 — first observed distribution via ClickFix lures on compromised websites. Confidence: as-reported.
  • July 16, 2026 — Elastic publishes the family analysis; The Hacker News summarizes it same day.

Delivery

ClickFix. The same clipboard-hijacking pattern that carried Group-IB’s ClickLock macOS stealer and Talos’s Starland RAT trojanized installers — three separate ClickFix-fronted campaigns disclosed on the same day. A stager binary invokes the payload — a DLL named telepuz.dll — via rundll32.exe, with the payload retrieved from hurgadatour[.]shop. Confidence: as-reported.

Stage two

A Go variant of Vidar Stealer. Vidar as a family is not new; the observation that TELEPUZ ships it as its second-stage payload is what’s specific to this disclosure. Confidence: as-reported.

Capabilities, as characterized by Elastic

  • File enumeration and operations.
  • Keystroke logging and screenshot capture.
  • Cookie extraction and web-inject against Chromium and Firefox.
  • Browser control through the Chrome DevTools Protocol and WebDriver BiDi interfaces.
  • Command execution, process management, and download-and-execute of further executables and DLL modules.

None of these individually is novel. The claim in the Elastic writeup is that the packaging — full-featured, lightweight, modular, in C — is the point.

Evasion, as characterized

  • NTDLL unhooking, AMSI/ETW disabling, indirect syscalls, string encryption, import-name hashing, garbage instructions.
  • Anti-VM checks against CPU, memory, and disk-space thresholds; sandbox/researcher-name checks; debugger detection.
  • Geolocation exclusion of CIS countries via LCID — the standard “don’t run at home” pattern.

These are the observed evasion classes as reported. The mechanics of each are in the Elastic writeup; they are not reproduced here.

Persistence and privilege

  • COM elevation moniker used to reach Administrator.
  • Token theft from a set of standard system processes — spoolsv.exe, msdtc.exe, WmiPrvSE.exe, svchost.exe.
  • Service registration by registry key for svchost.exe-hosted loading.

Confidence: as-reported.

The interesting part — C2 fallback

WebSocket is the primary channel, TLS optional. If the WebSocket fails after ten attempts, TELEPUZ walks a four-step fallback chain to pull a new C2 URL:

  1. An encrypted URL published on a Telegram profilet[.]me/chanadarkpart.
  2. An encrypted URL published on a Steam Community profile.
  3. A DNS query for codebasecode[.]com.
  4. An encrypted URL read from a Polygon blockchain smart contract.

The Polygon step is the one worth flagging. Blockchain-hosted C2 pointers are not new in the wild, but the specific mix here — mainstream messaging, mainstream gaming, DNS, EVM smart contract — is a four-independent-provider fallback. Severing any one of them leaves three live.

C2 hosting itself is reported as compromised websites in Brazil and India, with staging domains fronted by Cloudflare.

Distribution model

Elastic labels the family suspected MaaS, on the basis of the daily VirusTotal submission volume relative to the small current set of C2 domains. Confidence: suspected — as-labeled by Elastic. No specific affiliate roster, panel URL, or pricing tier is stated in the writeup summarized here.

What is not confirmed

  • Affiliate structure or operator identity. The Telegram handle chanadarkpart is the closest public artifact; Elastic does not name a persona or crew. Unconfirmed.
  • Victim count. Distribution volume is inferred from VirusTotal submissions, not a confirmed victim tally. Unconfirmed.
  • Overlap with the other two ClickFix families disclosed the same day — ClickLock (macOS) and Starland (Windows, trojanized installers). Same delivery pattern is not the same operator. Unconfirmed — treat accordingly.

Sources

Confidence on the mechanics as characterized above: as-reported. MaaS labeling, operator identity, and victim scale: unconfirmed — treat accordingly.

Found this useful? Share it.