Since late April 2026, a new, modular threat known as TELEPUZ has been actively circulating in the wild, utilizing the highly effective "ClickFix" social engineering technique. As reported by Elastic Security Labs researcher Cyril François, this malicious software is lightweight yet full-featured, designed specifically for data theft and remote command execution.
For defenders, the emergence of TELEPUZ represents a shift in commodity malware: it is modular, allowing threat actors to swap out capabilities dynamically, and relies on a small but fast-fluxing set of Command-and-Control (C2) domains. The primary infection vector—ClickFix—bypasses traditional email filters by targeting users via compromised legitimate websites displaying fake browser update prompts.
Given the active exploitation status and the difficulty of detecting script-based initial access vectors, immediate action is required to bolster detection capabilities and harden endpoints against this specific delivery chain.
Technical Analysis
Affected Platforms & Components
- Delivery Vector: Web browsers (Google Chrome, Microsoft Edge, Mozilla Firefox) rendering compromised web content.
- Payload: Windows-based executable/script (TELEPUZ malware).
- Infrastructure: Small set of C2 domains with high daily churn to avoid reputation-based blocking.
CVE Identifiers
- None: This threat relies on social engineering (ClickFix) and script abuse rather than a specific software vulnerability. No CVE is applicable for this campaign.
Attack Chain: How ClickFix Delivers TELEPUZ
- Initial Access: The user visits a legitimate website that has been compromised or hosts a malicious advertisement.
- Social Engineering (ClickFix): A fake browser update overlay appears, claiming the browser is out of date or "Video Player cannot be played."
- User Interaction: Deceived by the professional-looking UI, the user copies a PowerShell or Batch command provided in the dialog box and pastes it into their terminal (Command Prompt or PowerShell).
- Execution: The copied command—typically obfuscated—downloads and executes the TELEPUZ payload. This often involves
powershell.exeinvoked with-WindowStyle Hiddenor-EncodedCommand. - Payload Deployment: TELEPUZ establishes a foothold, performing reconnaissance and reaching out to the C2 infrastructure.
- Objective: The malware steals system data and awaits further commands for execution due to its modular nature.
Exploitation Status
- Status: Confirmed Active Exploitation (In-the-wild).
- Source: Elastic Security Labs Technical Report (July 2026).
Detection & Response
The following detection rules focus on the ClickFix delivery mechanism (PowerShell execution via clipboard-based user deception) and the modular behavior of TELEPUZ. These rules are designed to minimize false positives while catching the specific TTPs associated with this campaign.
SIGMA Rules
---
title: TELEPUZ ClickFix - PowerShell Encoded Command Execution
id: 9c8e7f12-a345-4b89-c123-456d7890e1f2
status: experimental
description: Detects PowerShell execution with EncodedCommand or hidden windows, a hallmark of ClickFix campaigns like TELEPUZ where users are tricked into running obfuscated scripts.
references:
- https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2026/07/15
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-WindowStyle Hidden'
- '-w hidden'
- '-NonInteractive'
- '-NoLogo'
- '-EncodedCommand'
- '-Enc'
condition: selection
falsepositives:
- Legitimate system administration scripts (rare with all flags combined)
level: high
---
title: TELEPUZ ClickFix - Suspicious PowerShell Download Patterns
id: b1d2e3f4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects PowerShell scripts attempting to download payloads using common methods used in ClickFix lures (e.g., Invoke-WebRequest, WebClient).
references:
- https://attack.mitre.org/techniques/T1105
author: Security Arsenal
date: 2026/07/15
tags:
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'iex'
- 'Invoke-Expression'
- '.DownloadFile'
- '.DownloadString'
filter:
CommandLine|contains:
- 'SoftwareDistribution'
- 'WindowsUpdate'
condition: selection and not filter
falsepositives:
- Administrators using PowerShell for package management
level: medium
KQL (Microsoft Sentinel / Defender)
This query identifies process creation events characteristic of ClickFix execution chains. It looks for PowerShell spawning with suspicious flags and immediate network connections, typical of the TELEPUZ loader.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-EncodedCommand", "-Enc", "-WindowStyle Hidden", "-w hidden")
| extend HasNetAccess = ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "DownloadFile", "iex")
| where HasNetAccess == true
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc
Velociraptor VQL
This Velociraptor hunt artifact searches for PowerShell processes that are likely associated with ClickFix payloads by checking for specific command-line arguments often used to hide execution and download payloads.
-- Hunt for PowerShell processes associated with ClickFix TTPs
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "powershell.exe"
AND (
CommandLine =~ "-EncodedCommand" OR
CommandLine =~ "-w hidden" OR
CommandLine =~ "DownloadFile" OR
CommandLine =~ "Invoke-WebRequest"
)
Remediation Script (PowerShell)
This script enforces PowerShell Script Block Logging and Transcription. These controls are critical for capturing the obfuscated logic used by TELEPUZ and ClickFix variants, allowing forensics teams to reconstruct the attack even if the original file is deleted.
# Configure PowerShell Logging for ClickFix/TELEPUZ Forensics
# Requires Administrative Privileges
Write-Host "[+] Configuring PowerShell Script Block Logging..." -ForegroundColor Cyan
$registryPath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}
Set-ItemProperty -Path $registryPath -Name "EnableScriptBlockLogging" -Value 1 -Force
Write-Host "[+] Configuring PowerShell Transcription..." -ForegroundColor Cyan
$transcriptionPath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription"
if (-not (Test-Path $transcriptionPath)) {
New-Item -Path $transcriptionPath -Force | Out-Null
}
Set-ItemProperty -Path $transcriptionPath -Name "EnableTranscripting" -Value 1 -Force
Set-ItemProperty -Path $transcriptionPath -Name "EnableInvocationHeader" -Value 1 -Force
# Set output directory (Ensure this path exists and has ACLs)
$logDir = "C:\Windows\TEMP\PowerShellTranscripts"
if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
Set-ItemProperty -Path $transcriptionPath -Name "OutputDirectory" -Value $logDir -Force
Write-Host "[+] Configuration Applied. Defenders should monitor the transcription directory." -ForegroundColor Green
Remediation
-
User Awareness & Education: Immediate security awareness briefings are required. Users must be instructed to never copy and paste commands from browser pop-ups claiming to be software updates. Legitimate browser updates are handled through the browser's internal "About" menu or official OS patching systems.
-
Network Restrictions: Implement URL filtering/DNS sinkholing to block access to known low-reputation domains. While TELEPUZ rotates C2s, restricting general access to newly registered domains (NRDs) for non-admin users can reduce the attack surface.
-
Application Control (ASR Rules): Enable the following Microsoft Defender Attack Surface Reduction (ASR) rules:
- Block all Office applications from creating child processes. (Prevents similar macro-to-shell techniques).
- Block JavaScript or VBScript from launching downloaded executable content. (Directly impacts the ClickFix script execution).
-
PowerShell Constrained Language Mode: For general user workstations, consider enforcing PowerShell Constrained Language Mode to prevent the execution of unsigned scripts and complex language features often exploited by malware like TELEPUZ.
-
Hunt for Persistence: Once access is gained, modular malware often creates persistence. Review scheduled tasks and registry run keys (
HKLM\Software\Microsoft\Windows\CurrentVersion\Run) for unknown entries pointing to PowerShell or obscure executables.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.