Intentionally desktop-first — best experienced on a workstation
Portfolio
Field Notes

Between Copy and Paste
What ClickFix Does to the Action You Never Think About

Author
Yana Ivanov
Published
July 2026
Category
Field Notes · Social Engineering
Threat
ClickFix · TELEPUZ
Sector
All · Developer · Enterprise
Read Time
8 minutes
8.3 BILLION PHISHING EMAILS IN Q1 2026  ·  CAPTCHA-GATED ATTACKS UP 125% IN MARCH  ·  TELEPUZ ACTIVE SINCE APRIL 2026
Section 01

The Thing You Do Without Thinking

Picture this. You are mid-research — a new tool, a setup guide, a Stack Overflow answer, a developer documentation page. You find the command you need. You highlight it. You press Ctrl+C or Cmd+C. Maybe you paste it straight into your terminal. Maybe you email it to yourself to use later, a habit so automatic your hands are already moving before you have finished reading the line.

You have done this hundreds of times. Maybe thousands. The copy-paste reflex is one of the most mechanical actions in computing — so fast, so frictionless, so invisible that it barely registers as a conscious decision. That is exactly the problem.

What if the thing you copied was not what you thought you copied? What if the page you were on ran a small piece of JavaScript the moment you pressed that key combination — and silently replaced the contents of your clipboard with something else entirely? What if what you pasted into your terminal, or emailed to yourself for later, was not the install command you read on screen but a malicious PowerShell script someone else wrote?

You would have no way to know. The page looked legitimate. The command looked right. You copied it the same way you copy everything.

This is ClickFix. Not a vulnerability in your software. Not an exploit that requires a zero-day. A manipulation of a reflex so ordinary that most people — including people who have worked in technology for years — have never once questioned it.

Figure 1 — ClickFix at Scale: Q1 2026
8.3B
Email Phishing Threats
January–March 2026. Microsoft Threat Intelligence.
11.9M
CAPTCHA-Gated Attacks
March 2026 alone. Highest volume in over a year.
+125%
Month-Over-Month Surge
CAPTCHA-gated phishing, February to March 2026.
53,000
Organizations Hit
In a single 3-day ClickFix campaign, February 2026.
Section 02

How It Works — and Why It Is So Hard to Catch

ClickFix works because it does not ask your computer to do anything suspicious. It asks you to do something you already do. The attack has two moments, and both feel completely routine.

Moment one: you copy. You visit a page — a developer resource, a fake documentation site, a compromised legitimate site — that contains a code snippet or command you need. As you select and copy it, JavaScript on the page fires silently. Your clipboard now contains something different from what you highlighted. You do not feel it happen. There is no error message. The page looks exactly the same.

Moment two: you paste. You open your terminal, your Run dialog, your notes app, your email draft. You paste. You hit Enter, or you send it to yourself for later. In either case, you have just executed — or queued for execution — a command you never wrote and never read.

What makes this particularly effective against developers and technical users is that we are the most likely to copy commands from the internet and paste them directly into a terminal without reading every character. We have been conditioned to trust code blocks on documentation sites. We are the target.

The email angle: If you are the type of person who emails things to yourself as a temporary clipboard — a command, a snippet, a URL to use later — you have just sent a malicious payload to your own inbox. When you open that email on another machine and paste it, the chain continues. The email is not the attack. But it is infrastructure for it.

Figure 2 — The TELEPUZ Infection Chain (Active Since April 2026)
Stage 1
Initial Access
ClickFix Lure
User visits a malicious or compromised page. JavaScript silently overwrites clipboard with a PowerShell command. User is prompted to paste and run it to "verify their identity" or "fix a loading error." The command downloads the second stage from an attacker-controlled domain.
Stage 2
Dropper
VIDAR (Go Variant)
A well-documented infostealer repurposed as a dropper in this campaign. Downloads and executes two additional components from a second staging domain: the TELEPUZ stager and main payload.
Stage 3
Full Compromise
TELEPUZ — Modular MaaS Payload
36 commands. Keylogger, credential stealer, Chrome cookie extractor, web injector, UAC bypass, SYSTEM privilege escalation. Registers as a Windows service named CipherAllocator. C2 resilience built in via Telegram, Steam, DNS, and Polygon blockchain fallbacks. If the primary C2 domain is taken down, the malware retrieves the new address from a public platform.

On July 16, 2026, Elastic Security Labs published a full reverse engineering analysis of TELEPUZ. The malware has been in active development since late April 2026, with a significant spike in new builds starting in early June. The code quality, the modular architecture, and the use of a Polygon blockchain smart contract as both a C2 resolver and a kill switch all point to a small, technically skilled team building for longevity — not a one-time campaign.

This is Malware-as-a-Service. Someone built it. Others are paying to use it. The ClickFix lure at the top of the chain is the part that does not require any technical skill at all — which is precisely what makes it scalable.

Section 03

Where the Email Comes In

ClickFix campaigns begin with an email. The phishing message is the first contact — a link to the page where the clipboard hijack happens. What does that email look like? Across documented campaigns in 2026, the pattern is consistent: urgency language, a lure that feels routine (an invoice, a delivery notification, a security check, a document waiting for your signature), and a link to a page that looks like it belongs there.

The link destination is often the most reliable signal. Across the 23 staging domains identified in the TELEPUZ campaign, not one uses a conventional TLD. Every domain sits on a non-standard, low-cost, high-abuse extension — the kind of TLD that has almost no legitimate enterprise use but costs an attacker almost nothing to register.

What to Watch For in Your Inbox

1
Hover over links before clicking. Domains ending in .lol, .shop, .lat, .click, .sbs, .cfd, .asia, .xyz, or .club have no legitimate reason to appear in enterprise email. If you see one combined with urgency language, stop.
2
A legitimate CAPTCHA checks you are human by asking you to identify images or type characters. It does not ask you to copy a command and paste it into your computer. Any page that does this is a ClickFix lure, regardless of how official it looks.
3
ClickFix emails are cold. They arrive from senders you have never interacted with. If you did not initiate the conversation — if you were not expecting a document, an invoice, or a security alert — treat the link as hostile until proven otherwise.
4
This is the habit that stops ClickFix cold. Before you press Enter in a terminal, read the full command in the input field — not the page you copied from, the actual text in the field. If they do not match, you have caught it. If you are emailing a command to yourself, paste it into a plain text editor first and read it there.

A note on email security: Email platforms that evaluate link destinations before delivery have a detection opportunity here that endpoint tools do not. The staging domain TLD pattern in TELEPUZ is consistent enough to be a reliable signal at the email layer — before the user ever sees the page, before the clipboard is touched, before any code runs. Detection at the inbox is the cleanest intervention point in this chain.

Section 04

The Light Bulb Moment

I have been in technology for over fifteen years. I copy and paste constantly — commands, snippets, URLs, config strings. I email things to myself as a running clipboard across devices. I never once thought about what happened between Cmd+C and Cmd+V. Not once.

That is the point. ClickFix does not exploit a gap in your software. It exploits a gap in your attention — the exact moment where you are moving fast, trusting what you see on screen, and not reading what your hands are actually doing. The attackers know this. They designed the attack around it. They are counting on the fact that checking the paste buffer before running a command feels paranoid, unnecessary, excessive. It is not.

TELEPUZ is one campaign using this technique. It will not be the last. MaaS means the delivery mechanism gets reused, resold, and redeployed under different names with different payloads. The ClickFix lure at the top of the chain is simple enough that any operator can run it. The sophistication is in what follows — and by the time that sophistication matters, the clipboard moment is already behind you.

The next time you copy a command from the internet, look at what you are about to paste before you run it. That one habit closes the attack surface that a multi-stage malware campaign just spent months building infrastructure to exploit.

Technical analysis based on Elastic Security Labs' July 16, 2026 report on TELEPUZ and Microsoft Threat Intelligence Q1 2026 email landscape data. IOCs sourced from Elastic Security Labs — all domains defanged. A companion ClickFix demonstration tool is available in the analyst toolkit. A Sublime Security detection rule targeting ClickFix email delivery patterns is in development and will be linked here when published. This piece reflects independent analysis and is produced for educational purposes.

YI
Yana Ivanov
Security Analyst  ·  Cybersecurity Researcher  ·  SiteWave Studio

Yana Ivanov is a threat intelligence analyst and detection engineer based in Connecticut, with 15 years of enterprise technology experience and an MS in Web Design & Development. She co-founded ArgusX, an independent threat intelligence platform, and contributes detection rules to Sublime Security's open-source production ruleset. She is currently pursuing CompTIA Security+. This analysis was produced independently as a contribution to the security community.

Portfolio