SCMBANKER: AI-Assisted Banking Fraud Targets Mexican Financial Sector
A new sophisticated banking fraud operation, dubbed **REF6045** by **Elastic Security Labs**, is actively targeting customers of Mexican banks, fintech companies, payment processors, and cryptocurrency exchanges. This campaign leverages **ClickFix** lures and an AI-assisted PowerShell toolkit, **SCMBANKER**, to compromise systems and facilitate extensive financial manipulation.
A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using **ClickFix** lures.
The activity cluster, tracked by **Elastic Security Labs** under the moniker **REF6045**, involves infecting victims through fake CAPTCHA verification pages. These pages deceive users into running a malicious command that installs a PowerShell toolkit dubbed **SCMBANKER**. Some components of the malware date back to October 2025.
"Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard," security researchers Jia Yu Chan and Salim Bitam said. "For a full takeover, they can also deploy a commercial remote-access tool."
**SCMBANKER** is specifically designed to go after Mexico's financial ecosystem, with evidence pointing to the use of a large language model (LLM) to develop a huge chunk of the tooling. The toolkit supports a wide range of capabilities, including banking-session monitoring, screenshot capture, vishing overlays, phishing redirects, clipboard manipulation, and **Remote Utilities** installation.
### Operational Security Lapse Exposes Infrastructure
Elastic's findings stem from an operational security lapse in the **REF6045** infrastructure, which made it possible to retrieve a ZIP archive containing the operation's full web root directory from an open directory located at "68.211.161[.]46."
### The Infection Chain: From CAPTCHA to Command
The starting point for the attack is a fake CAPTCHA check that disguises itself as a security verification page. It urges potential victims to solve a Google reCAPTCHA-like challenge to identify images containing a fire hydrant. Once this step is complete, users are presented with instructions to copy and paste a malicious command into the Windows Run dialog.
This, in turn, triggers the execution of a batch script responsible for installing the malware through a multi-stage process, starting with a bogus Windows update screen.
"The batch script immediately launches **Microsoft Edge** in kiosk mode pointing to fakeupdate[.]net, a well-known pentesting/red team site that renders a fake Windows Update screen," Elastic said. "This distraction buys time for the script to fully execute."
### Elevating Privileges and Maintaining Persistence

In the next stage, the script checks if it's running as administrator. If not, it launches a Windows User Account Control (UAC) prompt every 20 seconds, effectively nudging the victim towards clicking "Yes" on the consent dialog. As soon as it gains elevated privileges, it locks mouse movement. This behavior, combined with the fake Windows update screen, forces the victim to stay, giving the malware ample time to download the complete toolset in the background using the **bitsadmin** tool from the same directory.
After **SCMBANKER** components are downloaded onto the compromised host, it sets up persistence using the Windows Startup folder and a Registry Run key. Subsequently, it programmatically sends an F11 keypress event to exit full screen and initiates a "Ctrl+W" keypress sequence to close the fake Windows update tab.
"However, this approach only works in a standard full-screen browser window, not in kiosk mode," Elastic said. "It then forces a reboot with the shutdown /r /t 02 command and switches. Upon restart, the previous persistence mechanism via the Registry Run key triggers execution of the VBScript file ('run.vbs')."
### Modular Malicious Capabilities
The Visual Basic Script serves as a master launcher to run several modules in parallel:
* `edifhjwe.ps1`, for toolkit self-update
* `cliente.ps1`, for command-and-control (C2) beacon and implant control
* `avs.ps1`, for downloading the **Remote Utilities RAT** installer to facilitate hands-on access to a victim's machine
* `clip.ps1` and `clip2.ps1`, for CLABE account number and card number, clipboard hijack to reroute transactions
* `correr.ps1`, for arbitrary PowerShell execution
* `ini.ps1`, a launcher for "`jujuzkt.ps1`," a banking activity monitor that checks all visible window titles every second for matches against a [list](https://gist.github.com/jiayuchann/cfbeb1b194b2e186fc599eb51c4719cc) of Mexican financial institutions and, if a match is found, takes screenshots and logs keystrokes
* `rotor2.ps1`, a wrapper for "`mensaje1.ps1`," a vishing engine that serves fake overlays with security warnings instructing victims to call certain phone numbers
* `remo.ps1`, an IP address-gated launcher for "`jujuzkt2.ps1`," a browser redirector that matches window titles against a [list](https://gist.github.com/jiayuchann/5851f64467bac4c456dab67e2fb55622), and if a configured URL is present, places a phishing URL on the clipboard, makes the browser, and sends a series of keypress events (Ctrl+L, Ctrl+V, and Enter) to take the victim to the phishing landing page
One such redirect destination, "'bancaporinternetbbmx[.]online," contains a page-load Telegram notification script that harvests browser, device, and IP address details, and sends the information to a Telegram chat, alerting the operator that a redirected victim has reached the lure for follow-on attacks.
### AI's Role in Tooling Development
"The scripts show strong signs of AI assistance, most likely by prompting a large language model in Spanish and then applying manual obfuscation afterward," Elastic said.
"The code has a split personality, with clean, descriptive function names and heavy explanatory comments sitting next to hand-shortened variables and leftover generation artifacts. The placement of instruction-like comments directly above the code they describe suggests the authors have prompted an inline coding assistant such as **Copilot** or **Cursor**."
Taken together, the findings represent the work of a threat actor who has leaned on AI to assemble a crude toolset that's best characterized by copy-paste batch files, shoddy craftsmanship, and operational security lapses.
"Victims are kept as a passive feed while the operator watches a live dashboard and engages only the targets worth the effort, switching on browser redirects, vishing lockdowns, clipboard swaps, or a full RAT by IP, on demand," the researchers concluded. "Crude as it is, **SCMBANKER** already has real victims. The live victim counter and the labeled, tagged machines on the operator's own panels show that individual people are being actively targeted."