Elastic
10.4K posts

Elastic
@elastic
Where developers learn, build, and share. Your source for hands-on demos, cheat sheets, explainers and more.







TELEPUZ is a new modular malware spreading via CLICKFIX-VIDAR chains. Elastic Security Labs is tracking it. Active since late April 2026. The delivery path: ClickFix social engineering tricks users into running a PowerShell command that downloads a VIDAR Go variant, which then fetches a lightweight stager and the main TELEPUZ payload. The core DLL communicates over WebSockets and pulls additional modules from C2 on demand: Keylogger Stealer Web injector: intercepts browser sessions via CDP and WebDriver BiDi, with default configs targeting financial form fields like IBANs 36 commands. Indirect syscalls. AMSI and ETW patching. NTDLL unhooking. Multiple UAC bypasses. Still in active development: the shellcode injection command returns a TODO placeholder. C2 infrastructure is small (2 domains), but fallback methods include Telegram channels, Steam profiles, DNS records, and a Polygon smart contract that doubles as a kill switch. New builds hit VirusTotal daily. The C2 footprint is small, but this thing is moving fast for something that started 2 months ago. Full technical analysis: go.es.io/4wg6i1p











