Elastic Exposes TELEPUZ: C Malware Sold as MaaS via ClickFix Chain

Elastic Security Labs disclosed TELEPUZ, a C-based malware distributed through a ClickFix-to-Vidar chain with VirusTotal volumes indicating a MaaS operation.
Table of Contents
    Add a header to begin generating the table of contents

    Elastic Security Labs researcher Cyril François published the first technical documentation of TELEPUZ — a full-featured, modular malware written in C — after identifying campaign activity beginning in late April 2026. The malware reaches Windows systems through a three-stage delivery chain that begins with ClickFix social engineering, passes through a Vidar Stealer stager, and drops TELEPUZ as the final payload. The volume of distinct daily builds submitted to VirusTotal is consistent with a malware-as-a-service operation in which multiple independent threat actors deploy configured variants against separate targets.

    A Three-Stage Delivery Chain That Places Three Detection Barriers in Front of Defenders

    The ClickFix-to-Vidar-to-TELEPUZ chain introduces three distinct detection opportunities that security tools must each address to block a complete infection. Defenders who catch only one stage of the chain — the ClickFix prompt, the PowerShell execution, or the Vidar Stealer download — without also detecting the TELEPUZ payload itself will stop individual infections inconsistently. The design of the chain forces defenders to cover multiple detection layers simultaneously.

    ClickFix Lure to PowerShell to Vidar Stealer: The Stager Download Stage

    The delivery sequence begins when a victim encounters a compromised website or malicious page presenting a fake browser fix or CAPTCHA prompt. The ClickFix lure instructs the user to execute a specific command — typically pasted into a Windows dialog — which triggers a PowerShell download. That PowerShell command retrieves a Go-based variant of Vidar Stealer. In the TELEPUZ chain, Vidar does not operate as the primary credential-harvesting payload it typically is; instead, this Vidar variant serves exclusively as a stager whose role is to download and execute the TELEPUZ binary. Using an established malware family as a stager adds a layer of indirection: security tools that classify Vidar as an infostealer may not anticipate that the Vidar process is itself delivering a secondary payload under a separate family signature.

    TELEPUZ Capabilities: Keystroke Logging, Screenshots, Web Injection, and Downloadable Modules

    TELEPUZ’s core capability set reflects a mature, general-purpose post-access tool designed for flexibility across diverse targets. The malware performs file system operations, logs keystrokes, captures screenshots, executes arbitrary shell commands, manages running processes, injects into web content, and extracts browser cookies from both Chromium-based browsers and Firefox. Critically, TELEPUZ implements a modular architecture: operators can download supplemental capability modules to the infected system after the initial deployment, expanding TELEPUZ’s functionality without requiring a full reinstall. This extensibility allows the operator to tailor the malware’s behavior to specific targets — deploying additional modules against high-value victims while keeping the initial footprint minimal against lower-priority ones. The combination of lightweight initial deployment and post-access modularity is a defining characteristic of commercial MaaS toolkits designed to serve customers with varied operational requirements.

    Build Volume on VirusTotal Points to a Malware-as-a-Service Model

    The pattern of distinct daily TELEPUZ builds submitted to VirusTotal is what led Elastic to characterize TELEPUZ as a MaaS operation rather than a tool deployed by a single threat actor. A single actor running one campaign would produce a modest and consistent set of builds; the observed volume of daily submissions — each representing a freshly configured variant — is consistent with multiple buyers of the TELEPUZ builder independently generating campaign-specific payloads. Under a MaaS model, the TELEPUZ developer maintains and updates the core malware framework while customers configure and deploy their own campaign variants.

    Why TELEPUZ’s MaaS Model Makes Operator-Level Attribution Unreliable

    A MaaS distribution model creates a fragmented threat landscape for defenders. TELEPUZ components will appear across many disparate campaigns operated by different threat actors, each using different ClickFix lure themes, different C2 servers, and different victim targeting, while the underlying TELEPUZ code remains consistent. Threat-actor-level attribution becomes difficult: Elastic can identify TELEPUZ by its code structure and behavior, but there is no single group whose infrastructure can be identified as the canonical source of all TELEPUZ attacks. Defenders benefit most from detecting the delivery chain’s techniques — the ClickFix execution pattern, the PowerShell stage-two download, the Vidar Stealer behavioral signature, and TELEPUZ’s own host-based indicators — rather than from blocking indicators tied to any one operator’s specific infrastructure. Elastic Security Labs provided no specific threat actor attribution at the time of the July 16, 2026 disclosure.

    The TELEPUZ disclosure adds another family to the list of Windows malware that the ClickFix delivery method has brought into wider circulation during 2026. The continued effectiveness of ClickFix social engineering across diverse malware families suggests that the technique’s success depends on a persistent user behavior — willingness to execute pasted commands without scrutinizing their content — rather than on any characteristic of the malware itself.

    Related Posts