Elastic Security Labs researchers have identified TELEPUZ, a new modular malware spreading through ClickFix-infected websites since late April 2026. The threat combines lightweight design with modular architecture, allowing operators flexibility in payload deployment and command execution.

ClickFix represents a social engineering technique that tricks users into downloading malicious files by mimicking system error messages. TELEPUZ leverages this delivery mechanism to establish initial compromise. Once installed, the malware executes arbitrary commands and exfiltrates data from compromised systems.

Cyril François, the Elastic Security Labs researcher who documented the threat, described TELEPUZ as "full-featured, lightweight, and modular." The modular design enables threat actors to selectively load components based on target value and operational objectives. This approach reduces the malware's footprint while maintaining functionality.

The threat remains in early distribution phases. Command-and-control infrastructure currently consists of a limited number of domains, suggesting the campaign launched recently or operators are still testing infrastructure stability. This small footprint may explain why detection has been limited to specific security vendors.

TELEPUZ targets organizations and individuals who encounter compromised websites displaying fake error notifications. Victims directed to download "system updates" or "security patches" receive the malware instead. The modular architecture allows operators to deliver information-stealing components to some targets and remote access trojans to others, depending on operational priorities.

Organizations should implement web filtering to block known ClickFix distribution sites and educate users to verify system alerts through official channels. Security teams should monitor for TELEPUZ indicators of compromise, including suspicious command execution and outbound connections to newly registered domains. Endpoint detection and response tools capable of behavioral analysis will identify suspicious modular component loading.

Individual users should avoid downloading software from pop-up warnings. Legitimate system updates originate from official vendor channels, not browser notifications. Keeping operating systems and