Full Report
A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures. The activity cluster, tracked by Elastic Security Labs under the moniker REF6045, involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed
Analysis Summary
# Tool/Technique: SCMBANKER (REF6045)
## Overview
SCMBANKER is a malicious PowerShell-based toolkit used by the threat actor group REF6045. It is designed specifically to target the financial ecosystem in Mexico, including banks, fintech, and cryptocurrency exchanges. The malware employs a "ClickFix" social engineering strategy, tricking users into executing malicious commands via a fake CAPTCHA interface. Once installed, it allows attackers to monitor banking sessions, manipulate clipboards, and facilitate fraudulent transactions through vishing or remote access.
## Technical Details
- **Type:** Malware Family / PowerShell Toolkit
- **Platform:** Windows
- **Capabilities:** Banking session monitoring, clipboard hijacking, vishing overlays, screenshot capture, and remote access integration.
- **First Seen:** Components dated back to October 2025; reported in July 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1059.005 - Command and Scripting Interpreter: Visual Basic]
- [T1204.002 - User Execution: Malicious File]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0004 - Privilege Escalation]**
- [T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control]
- **[TA0005 - Defense Evasion]**
- [T1564.003 - Hide Artifacts: Hidden Window]
- **[TA0007 - Discovery]**
- [T1010 - Application Window Discovery]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- [T1115 - Clipboard Data]
## Functionality
### Core Capabilities
- **Banking Activity Monitor:** Scans active window titles every second for matches against a predefined list of Mexican financial institutions.
- **Clipboard Hijacking:** Monitors the clipboard for CLABE (Clave Bancaria Estandarizada) account numbers or card numbers and replaces them with attacker-controlled accounts.
- **Persistence:** Installs itself in the Windows Startup folder and adds a entry to the Registry Run keys.
- **Information Stealing:** Captures screenshots and logs keystrokes when banking activity is detected.
### Advanced Features
- **ClickFix Social Engineering:** Uses a sophisticated fake CAPTCHA that instructs the user to manually run a command, bypassing some automated security filters.
- **Vishing Engine:** Serves fake security overlays that prompt the victim to call a specific phone number for "support," enabling live social engineering.
- **Anti-Interruption:** Use of a fake "Windows Update" screen in Kiosk mode and mouse locking to prevent the user from interrupting the infection process.
- **LLM-Assisted Development:** Evidence suggests significant portions of the toolkit’s code were generated using Large Language Models (LLMs).
## Indicators of Compromise
- **File Names:**
- `run.vbs` (Launcher)
- `cliente.ps1` (C2 Beacon)
- `jujuzkt.ps1` (Monitor)
- `avs.ps1`, `clip.ps1`, `rotor2.ps1` (Module files)
- **Network Indicators:**
- `68.211.161[.]46` (Infrastructure/Open Directory)
- `fakeupdate[.]net` (Distraction site)
- **Behavioral Indicators:**
- Rapid, repeated UAC prompts.
- Microsoft Edge launched in Kiosk mode.
- Automated mouse movement locking.
- Use of `bitsadmin` for background file downloads.
## Associated Threat Actors
- **REF6045**
## Detection Methods
- **Behavioral Detection:** Monitoring for frequent UAC prompts followed by `bitsadmin` activity and the execution of PowerShell scripts from the Startup folder.
- **Window Title Monitoring:** Detecting processes that frequently query window titles for banking-related strings.
- **Network Defense:** Blocking known ClickFix-related domains and monitoring for unusual outbound connections to unauthorized IP addresses from PowerShell or WScript.
## Mitigation Strategies
- **User Education:** Train users to never copy-paste commands into the Windows "Run" dialog or PowerShell terminal from a website.
- **Restrict Scripting:** Implement policies to restrict PowerShell execution to signed scripts only (Execution Policy: AllSigned).
- **Endpoint Protection:** Use EDR solutions that can detect and block unusual UAC behavior and unauthorized persistence mechanisms.
- **Principle of Least Privilege:** Ensure users do not operate with administrative privileges, which prevents the malware from effectively locking the system or installing system-wide persistence.
## Related Tools/Techniques
- **Remote Utilities:** A commercial RAT used by the actors for hands-on-keyboard access.
- **ClickFix:** A broader technique used by various groups (such as ClearFake) to deliver malware via fake browser/CAPTCHA updates.