TELEPUZ: The New Malware Hiding Behind Fake 'Fix This' Website Pop-ups
A modular info-stealer is spreading through booby-trapped websites that trick visitors into pasting malicious commands into their own computers.

Key points
- Elastic Security Labs disclosed a new malware family called TELEPUZ that has been spreading since late April 2026.
- The malware reaches victims through ClickFix lures, which are fake error messages on hacked websites that trick people into running malicious commands themselves.
- TELEPUZ is modular, meaning attackers can plug in extra tools to steal data or run commands on the infected machine.
- Researchers say the number of attacker-controlled servers is small so far, but the pace of infections is climbing.
Security researchers at Elastic Security Labs have flagged a new piece of malicious software called TELEPUZ. It has been infecting Windows computers since late April 2026, and it arrives in an unusually sneaky way: the victim types the attack in themselves.
The trick is called ClickFix. A person lands on a hacked website and sees what looks like a normal error box, something like "Your browser is missing a component, run this to fix it." The page then asks them to press the Windows key plus R, paste a line of text, and hit Enter. That line is the malware.
It works because it does not look like an attack. There is no dodgy attachment to open. There is no download prompt to dismiss. The user is guided, step by step, into launching the code on their own machine.
Once it runs, TELEPUZ takes over quietly. Elastic researcher Cyril François described it as "full-featured, lightweight, and modular." In plain terms: the core program is small, but the attackers can bolt on extra pieces to do whatever they want next.
What can TELEPUZ actually do to a victim's computer?
It can steal information and run further commands, which is the two-part threat that makes info-stealers so useful to criminals. First it grabs valuable data from the machine. Then it opens a channel back to the attackers, letting them push new instructions later.
The kind of data these tools typically go after includes saved browser passwords, session cookies (the small files that keep you logged in to sites like your email or bank), cryptocurrency wallet files, and anything else that can be resold or reused.
Session cookies are the quiet danger here. If a criminal steals a valid cookie from your browser, they can often log in as you without needing your password, and without triggering a two-factor prompt. This is one of the cases where multi-factor authentication, the extra code from an app or text, does not always save you. It helps at login. It does not help if the attacker skips login entirely by reusing your active session.
According to Elastic's writeup, the malware currently talks to a small number of command-and-control domains, which are the servers the attackers use to send orders to infected machines. That number is low today. The infection rate, researchers noted, is not.
What should ordinary users do?
The single most useful habit: never paste a command into the Run box, PowerShell, or a terminal because a website told you to. No legitimate site, ever, will ask you to do that to "verify" you are human or to fix a video player. That prompt is the attack.
If you have already done it, assume passwords stored in your browser are exposed. Change the important ones from a different device, sign out of all sessions on your main accounts, and run a full scan with your antivirus. Watch your email and bank for anything you did not do.
The Hacker News first reported the malware's technical details. Elastic has published indicators of compromise, meaning file names and domains defenders can block, on its research site.
ClickFix has been growing fast across 2025 and into 2026 because it sidesteps most of the security tools companies rely on. It does not need a software flaw. It just needs a person willing to follow instructions.



