Elastic: TELEPUZ ClickFix stealer confirmed since April
Elastic Security Labs pins TELEPUZ, a modular C stealer spreading via ClickFix since late April, likely MaaS, with a Go Vidar variant as stage two.
Confirmed: Elastic Security Labs disclosed today, July 16, 2026 a modular C infostealer tracked as TELEPUZ, spreading through ClickFix lures since late April 2026 and — on the volume of daily VirusTotal submissions — likely operating as malware-as-a-service. Confidence on the disclosure, the first-seen date, and the technical characteristics below: as-reported by Elastic.
The full technical writeup is at elastic.co/security-labs. This piece characterizes what was disclosed; the primary source carries the indicator detail.
Timeline
- April 28, 2026 — the Telegram channel Elastic ties to the operator’s C2-fallback infrastructure is created. Confidence: as-reported.
- Late April 2026 — first observed distribution via ClickFix lures on compromised websites. Confidence: as-reported.
- July 16, 2026 — Elastic publishes the family analysis; The Hacker News summarizes it same day.
Delivery
ClickFix. The same clipboard-hijacking pattern that carried Group-IB’s ClickLock macOS stealer and Talos’s Starland RAT trojanized installers — three separate ClickFix-fronted campaigns disclosed on the same day. A stager binary invokes the payload — a DLL named telepuz.dll — via rundll32.exe, with the payload retrieved from hurgadatour[.]shop. Confidence: as-reported.
Stage two
A Go variant of Vidar Stealer. Vidar as a family is not new; the observation that TELEPUZ ships it as its second-stage payload is what’s specific to this disclosure. Confidence: as-reported.
Capabilities, as characterized by Elastic
- File enumeration and operations.
- Keystroke logging and screenshot capture.
- Cookie extraction and web-inject against Chromium and Firefox.
- Browser control through the Chrome DevTools Protocol and WebDriver BiDi interfaces.
- Command execution, process management, and download-and-execute of further executables and DLL modules.
None of these individually is novel. The claim in the Elastic writeup is that the packaging — full-featured, lightweight, modular, in C — is the point.
Evasion, as characterized
- NTDLL unhooking, AMSI/ETW disabling, indirect syscalls, string encryption, import-name hashing, garbage instructions.
- Anti-VM checks against CPU, memory, and disk-space thresholds; sandbox/researcher-name checks; debugger detection.
- Geolocation exclusion of CIS countries via LCID — the standard “don’t run at home” pattern.
These are the observed evasion classes as reported. The mechanics of each are in the Elastic writeup; they are not reproduced here.
Persistence and privilege
- COM elevation moniker used to reach Administrator.
- Token theft from a set of standard system processes —
spoolsv.exe,msdtc.exe,WmiPrvSE.exe,svchost.exe. - Service registration by registry key for
svchost.exe-hosted loading.
Confidence: as-reported.
The interesting part — C2 fallback
WebSocket is the primary channel, TLS optional. If the WebSocket fails after ten attempts, TELEPUZ walks a four-step fallback chain to pull a new C2 URL:
- An encrypted URL published on a Telegram profile —
t[.]me/chanadarkpart. - An encrypted URL published on a Steam Community profile.
- A DNS query for
codebasecode[.]com. - An encrypted URL read from a Polygon blockchain smart contract.
The Polygon step is the one worth flagging. Blockchain-hosted C2 pointers are not new in the wild, but the specific mix here — mainstream messaging, mainstream gaming, DNS, EVM smart contract — is a four-independent-provider fallback. Severing any one of them leaves three live.
C2 hosting itself is reported as compromised websites in Brazil and India, with staging domains fronted by Cloudflare.
Distribution model
Elastic labels the family suspected MaaS, on the basis of the daily VirusTotal submission volume relative to the small current set of C2 domains. Confidence: suspected — as-labeled by Elastic. No specific affiliate roster, panel URL, or pricing tier is stated in the writeup summarized here.
What is not confirmed
- Affiliate structure or operator identity. The Telegram handle
chanadarkpartis the closest public artifact; Elastic does not name a persona or crew. Unconfirmed. - Victim count. Distribution volume is inferred from VirusTotal submissions, not a confirmed victim tally. Unconfirmed.
- Overlap with the other two ClickFix families disclosed the same day — ClickLock (macOS) and Starland (Windows, trojanized installers). Same delivery pattern is not the same operator. Unconfirmed — treat accordingly.
Sources
- The Hacker News: New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands — July 16, 2026.
- Elastic Security Labs primary writeup: TELEPUZ MaaS malware ClickFix — cited as the source of the technical detail summarized above.
Confidence on the mechanics as characterized above: as-reported. MaaS labeling, operator identity, and victim scale: unconfirmed — treat accordingly.
Found this useful? Share it.


