TELEPUZ is the kind of malware that should make business leaders less impressed by expensive dashboards and more interested in what staff do when a browser tells them something is broken.
According to reporting based on Elastic Security Labs research, TELEPUZ has been spreading through websites infected with ClickFix lures since late April 2026. The lure is not a clever exploit in the way many executives imagine cyberattacks. It is a social engineering trick. A web page presents a fake browser error, fake software update, or fake repair instruction, then pushes the user toward copying and running a command. The technique is also described as pastejacking because malicious script or commands can be placed into the clipboard while the page instructs the victim to paste and execute them.
That small detail matters. Many companies still train people to “spot suspicious links,” as if the link itself is the whole attack. ClickFix moves the decision point. The victim may already be on a compromised site, staring at what looks like an instruction to fix a problem. The mistake is not only clicking. The mistake is trusting a workflow that asks a non-technical user to run a command they do not understand.
In the TELEPUZ case, the attack chain described by The Hacker News results in PowerShell execution. PowerShell then downloads a second-stage payload from a remote URL and runs it. For a business owner, the important phrase is not PowerShell. It is “second-stage.” The first interaction is only the door. What follows can change quickly, especially when the malware is modular.
TELEPUZ is reported to be written in C, lightweight, and modular. Elastic Security Labs researcher Cyril François described it as “full-featured, lightweight, and modular,” according to the report. The same reporting says the malware can steal data and run commands. It also uses techniques intended to make analysis harder, including garbage instructions, import name hashing, string encryption, and indirect system calls. It checks usernames and computer names against a hard-coded list associated with sandbox and malware research environments.
That does not mean every organisation should panic. It does mean a lazy assumption has expired: that only large enterprises need to worry about advanced malware techniques. The barrier to using capable malware keeps falling when threats are packaged and updated like a service. The report notes a steady daily volume of VirusTotal submissions associated with TELEPUZ and says this suggests it is likely offered under a malware-as-a-service model. Whether a particular attacker is highly skilled becomes less relevant when the tool is available and the delivery method depends on ordinary user behaviour.
The overhyped part is the name. TELEPUZ will not be the last malware family with a technical write-up and a memorable label. If your security programme changes only when a new name appears in the news, you will always be late. The quietly useful lesson is older and less glamorous: stop letting random web instructions become trusted operational steps.
For most businesses, especially lean teams where one person handles finance, admin, procurement, and customer communication in the same browser session, the risk sits at the endpoint. A staff member receives a link, lands on a page, sees a prompt, and follows it because work must continue. In many African businesses, where teams are mobile-first, connectivity can be uneven, and staff often switch between personal communication channels and business systems, that pressure is real. Security advice that assumes a calm user, a managed laptop, and an IT department waiting on chat is advice from another planet.
The practical response is to remove dangerous choices from the user’s path. If ordinary staff do not need PowerShell, restrict it. If some teams need it, limit who can run it and under what conditions. Monitor for PowerShell downloading and executing content from remote URLs. Treat that as a high-signal event, not as background noise. A business does not need to understand every obfuscation technique inside TELEPUZ to know that a browser-to-clipboard-to-PowerShell chain is not normal office work.
Clipboard-based attacks also deserve a place in training, but training should be specific. “Do not paste commands from a website into your terminal or Run window” is better than another generic warning about suspicious emails. Staff should know that fake fixes are now part of the attack pattern: browser errors, update prompts, CAPTCHA-like instructions, and repair steps that ask them to copy and paste something. The rule should be simple enough to remember under pressure. If a website tells you to run a command, stop and ask IT.
Most rollouts stall at the training step because the message is vague. People cannot comply with “be cyber aware” while trying to close invoices or serve customers. Give them a small number of forbidden actions and a fast escalation route. If escalation takes too long, they will solve the problem themselves. That is not a character flaw; it is how work gets done.
There is also a web operations lesson here. TELEPUZ is spreading through infected websites using ClickFix lures, according to the report. Many businesses treat their public website as a brochure once it goes live. The agency finishes the site, plugins accumulate, admin accounts are shared, and no one budgets for maintenance. A compromised website can become someone else’s delivery channel. Even if your own data is not stolen, your brand can be used to harm visitors, customers, or partners.
So the question for management is not “Are we protected from TELEPUZ?” That is too narrow. Ask whether the company has a maintained endpoint policy, a patching rhythm, controlled administrative rights, monitored scripting activity, and a clear rule against running commands from web pages. Ask whether your website estate is being updated and checked, especially if it uses common content management systems, third-party plugins, or forms handled by non-technical staff. Ask whether anyone would notice if a workstation suddenly used PowerShell to fetch code from an external URL.
The answer in many companies will be uncomfortable. That is useful. Security work should expose where business processes are relying on luck.
Executives often want a clean product answer: buy this tool and the problem is handled. Tools help, but this class of attack sits between browser behaviour, endpoint controls, staff habits, and incident response. If those pieces are owned by different vendors or ignored entirely, the gap remains. A good control is boring: least privilege, script restrictions, endpoint detection, web filtering, patching, backups, and a human process that staff can actually use when something looks wrong.
For smaller companies, start with the highest-risk machines. Finance laptops. Admin machines with access to payroll, supplier payments, bank portals, tax systems, customer records, or cloud dashboards. Devices used by managers who approve transactions. If you cannot protect every endpoint this month, protect the ones that can move money, expose customer data, or change production systems.
For larger organisations, TELEPUZ is a reminder to test assumptions. Run a tabletop exercise around a staff member pasting a malicious command from a fake browser fix. Who receives the alert? What log shows the PowerShell activity? Can the endpoint be isolated? Who checks whether credentials were stolen? Who decides whether customer or regulator communication is required? A thirty-minute exercise will reveal more than a long policy document.
The malware will keep changing. The pattern will stay. Attackers like ClickFix because it turns the user into the installer and the clipboard into the delivery mechanism. Businesses should respond by making that path harder, noisier, and culturally unacceptable.
At Exquode, this is the kind of problem we prefer to handle before it becomes an incident: tightening endpoint controls, reviewing website exposure, setting up practical monitoring, and designing staff procedures that fit how teams in Ghana and across Africa actually work. If your team still depends on trust and reminders alone, it is time to replace that with controls people can live with.