A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures.
The activity cluster, tracked by Elastic Security Labs under the moniker REF6045, involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed SCMBANKER. Some components of the malware date back to October 2025.
“Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard,” security researchers Jia Yu Chan and Salim Bitam said. “For a full takeover, they can also deploy a commercial remote-access tool.”
SCMBANKER is specifically designed to go after Mexico’s financial ecosystem, with evidence pointing to the use of a large language model (LLM) to develop a huge chunk of the tooling. The toolkit supports a wide range of capabilities, including banking-session monitoring, screenshot capture, vishing overlays, phishing redirects, clipboard manipulation, and Remote Utilities installation.
Elastic’s findings stem from an operational security lapse in the REF6045 infrastructure, which made it possible to retrieve a ZIP archive containing the operation’s full web root directory from an open directory located at “68.211.161[.]46.”
The starting point is a fake CAPTCHA check that disguises itself as a security verification page, urging potential victims to solve a Google reCAPTCHA-like challenge to identify images containing a fire hydrant. Once the step is complete, they are presented with instructions to copy and paste a malicious command into the Windows Run dialog.
This, in turn, triggers the execution of a batch script that’s responsible for installing the malware through a multi-stage process, starting with a bogus Windows update screen.
“The batch script immediately launches Microsoft Edge in kiosk mode pointing to fakeupdate[.]net, a well-known pentesting/red team site that renders a fake Windows Update screen,” Elastic said. “This distraction buys time for the script to fully execute.”
In the next stage, the script checks if it’s running as admin, and if not, launches a Windows User Account Control (UAC) prompt every 20 seconds, effectively nudging the victim towards clicking “Yes” on the consent dialog. As soon as it gains elevated privileges, it locks mouse movement. This behavior, combined with the fake Windows update screen, forces the victim to stay, giving the malware ample time to download the complete toolset in the background using the bitsadmin tool from the same directory.
After SCMBANKER components are downloaded onto the compromised host, it sets up persistence using the Windows Startup folder and a Registry Run key, following which it programmatically sends an F11 keypress event to exit full…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]

