Published on July 8, 2026

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users


Severity

Medium

Detail

Researchers have uncovered a banking fraud campaign, tracked as REF6045, that targets customers of Mexican banks, fintech companies, payment processors, and cryptocurrency exchanges using ClickFix social engineering techniques. The campaign delivers a PowerShell-based toolkit called SCMBANKER, which enables attackers to monitor banking sessions, steal financial information, manipulate transactions, and remotely control compromised systems.

Evidence suggests the malware was partially developed with the assistance of a large language model (LLM), while operational mistakes by the attackers exposed significant portions of their infrastructure.

How?

The attack begins with a fake CAPTCHA page that imitates Google’s reCAPTCHA service. After completing the challenge, victims are instructed to copy and execute a malicious command through the Windows Run dialog, initiating a multi-stage PowerShell infection process.

To distract the victim, the malware opens a fake Windows Update screen while repeatedly prompting for administrator privileges through User Account Control (UAC). Once elevated privileges are obtained, the malware locks mouse movement, downloads additional components, and establishes persistence using the Windows Startup folder and Registry Run keys before rebooting the system.

After restarting, a master VBScript launches multiple PowerShell modules responsible for command-and-control (C2) communications, self-updates, banking session monitoring, clipboard hijacking, browser redirection, screenshot capture, keylogging, and the deployment of the Remote Utilities remote access tool. The malware continuously monitors active browser windows for Mexican banking websites and, when detected, can display fake security warnings, redirect victims to phishing pages, replace copied bank account numbers, or encourage victims to call attacker-controlled phone numbers as part of a vishing scheme.

Researchers also found that phishing sites used by the campaign notify attackers through Telegram whenever a victim reaches the malicious page, enabling operators to selectively engage high-value targets and perform additional fraud activities in real time.

Conclusion

The REF6045 campaign demonstrates how threat actors are combining ClickFix social engineering, PowerShell-based malware, remote administration tools, and AI-assisted development to conduct targeted banking fraud. Rather than relying solely on automated malware, attackers actively monitor victims and intervene manually when valuable banking sessions are detected.

Organizations should educate users about ClickFix-style attacks, restrict PowerShell execution where appropriate, monitor for unusual clipboard manipulation, browser automation, and unauthorized remote access software installations. Financial institutions should also implement behavioral fraud detection and encourage customers to verify unexpected security prompts or requests to contact bank support through official channels only.

Source

https://thehackernews.com/2026/07/scmbanker-malware-uses-clickfix-lures.html