SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures.
The activity cluster, tracked by Elastic Security Labs under the moniker REF6045, involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed SCMBANKER. Some components of the malware date back to October 2025.
“Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard,” security researchers Jia Yu Chan and Salim Bitam said. “For a full takeover, they can also deploy a commercial remote-access tool.”
SCMBANKER is specifically designed to go after Mexico’s financial ecosystem, with evidence pointing to the use of a large language model (LLM) to develop a huge chunk of the tooling. The toolkit supports a wide range of capabilities, including banking-session monitoring, screenshot capture, vishing overlays, phishing redirects, clipboard manipulation, and Remote Utilities installation.
Elastic’s findings stem from an operational security lapse in the REF6045 infrastructure, which made it possible to retrieve a ZIP archive containing the operation’s full web root directory from an open directory located at “68.211.161[.]46.”
The starting point is a fake CAPTCHA check that disguises itself as a security verification page, urging potential victims to solve a Google reCAPTCHA-like challenge to identify images containing a fire hydrant. Once the step is complete, they are presented with instructions to copy and paste a malicious command into the Windows Run dialog.
This, in turn, triggers the execution of a batch script that’s responsible for installing the malware through a multi-stage process, starting with a bogus Windows update screen.
“The batch script immediately launches Microsoft Edge in kiosk mode pointing to fakeupdate[.]net, a well-known pentesting/red team site that renders a fake Windows Update screen,” Elastic said. “This distraction buys time for the script to fully execute.”
In the next stage, the script checks if it’s running as admin, and if not, launches a Windows User Account Control (UAC) prompt every 20 seconds, effectively nudging the victim towards clicking “Yes” on the consent dialog. As soon as it gains elevated privileges, it locks mouse movement. This behavior, combined with the fake Windows update screen, forces the victim to stay, giving the malware ample time to download the complete toolset in the background using the bitsadmin tool from the same directory.
After SCMBANKER components are downloaded onto the compromised host, it sets up persistence using the Windows Startup folder and a Registry Run key, following which it programmatically sends an F11 keypress event to exit full screen and initiate a “Ctrl+W” keypress sequence to close the fake Windows update tab.
“However, this approach only works in a standard full-screen browser window, not in kiosk mode,” Elastic said. “It then forces a reboot with the shutdown /r /t 02 command and switches. Upon restart, the previous persistence mechanism via the Registry Run key triggers execution of the VBScript file (‘run.vbs’).”
The Visual Basic Script serves as a master launcher to run several modules in parallel –
- edifhjwe.ps1, for toolkit self-update
- cliente.ps1, for command-and-control (C2) beacon and implant control
- avs.ps1, for downloading the Remote Utilities RAT installer to facilitate hands-on access to a victim’s machine
- clip.ps1 and clip2.ps1, for CLABE account number and card number, clipboard hijack to reroute transactions
- correr.ps1, for arbitrary PowerShell execution
- ini.ps1, a launcher for “jujuzkt.ps1,” a banking activity monitor that checks all visible window titles every second for matches against a list of Mexican financial institutions and, if a match is found, takes screenshots and logs keystrokes
- rotor2.ps1, a wrapper for “mensaje1.ps1,” a vishing engine that serves fake overlays with security warnings instructing victims to call certain phone numbers
- remo.ps1, an IP address-gated launcher for “jujuzkt2.ps1,” a browser redirector that matches window titles against a list, and if a configured URL is present, places a phishing URL on the clipboard, makes the browser, and sends a series of keypress events (Ctrl+L, Ctrl+V, and Enter) to take the victim to the phishing landing page
One such redirect destination, “‘bancaporinternetbbmx[.]online,” contains a page-load Telegram notification script that harvests browser, device, and IP address details, and sends the information to a Telegram chat, alerting the operator that a redirected victim has reached the lure for follow-on attacks.
“The scripts show strong signs of AI assistance, most likely by prompting a large language model in Spanish and then applying manual obfuscation afterward,” Elastic said.
“The code has a split personality, with clean, descriptive function names and heavy explanatory comments sitting next to hand-shortened variables and leftover generation artifacts. The placement of instruction-like comments directly above the code they describe suggests the authors have prompted an inline coding assistant such as Copilot or Cursor.”
Taken together, the findings represent the work of a threat actor who has leaned on AI to assemble a crude toolset that’s best characterized by copy-paste batch files, shoddy craftsmanship, and operational security lapses.
“Victims are kept as a passive feed while the operator watches a live dashboard and engages only the targets worth the effort, switching on browser redirects, vishing lockdowns, clipboard swaps, or a full RAT by IP, on demand,” the researchers concluded. “Crude as it is, SCMBANKER already has real victims. The live victim counter and the labeled, tagged machines on the operator’s own panels show that individual people are being actively targeted.”
The post “SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users” appeared first on The Hacker News
Source:The Hacker News – [email protected] (The Hacker News)

