SCMBANKER's execution chain | Image: Elastic Security Labs
On June 18, 2026, security analysts detected a host downloading suspicious PowerShell scripts from an open directory.
At a glance
- Actor or Group: REF6045 (suspected)
- Activity Type: Phishing, vishing, and malware deployment
- Targets or Victims: Mexican retail banks, fintechs, and crypto platforms
- Scale: Unconfirmed number of active victims
- Jurisdiction or Law-Enforcement Status: Private sector research disclosure
- Source: Elastic Security Labs
TL;DR
A suspected threat group tracked as REF6045 is running a widespread Mexican banking fraud campaign. The attackers trick victims with fake CAPTCHA pages to install the malicious SCMBANKER toolkit. Operators then steal financial data using live monitoring, screen overlays, and clipboard manipulation.
What Happened
The attack begins with a deceptive webpage. This site displays a fake CAPTCHA challenge. It asks visitors to verify they are human. Instead, the page tricks victims into copying a malicious command. The victim then pastes this code into the Windows Run dialog.
This dangerous tactic is known as ClickFix. Once the victim runs the code, a batch script takes over. The script immediately opens a fake Windows Update screen. This visual trick buys time for the malware to execute quietly.
Next, the script triggers a consent loop. If it lacks administrator rights, it asks for permission every twenty seconds. This frustrates users until they finally approve the request.
After gaining access, the malware locks the user’s mouse. A specific command traps the cursor in the center of the screen. Meanwhile, the script downloads the SCMBANKER toolkit in the background. According to the report, “All malicious scripts, files, and binaries are pulled individually via bitsadmin from http://68.211.161[.]46/files/ to C:\Users\Public\.”
SCMBANKER includes several dangerous modules. It monitors banking sessions and captures regular screenshots. It also manipulates the victim’s clipboard data. When a user copies a bank account number, the malware swaps it. It silently replaces the legitimate account with an attacker-controlled number.
Who is Behind It
Security researchers label this threat actor as REF6045. The group relies heavily on human operators rather than full automation. The operators manually trigger different malware modules from a remote control panel.
The attackers likely used artificial intelligence to build their toolkit. The code mixes descriptive function names with crude generation artifacts. The report notes, “The scripts are littered with numerous AI-generated artifacts, suggesting the operator relied heavily on a large language model to implement much of the functionality.”
The group also made severe operational security errors. They left server directories completely open to the public. They even exposed an unauthenticated file editor. This mistake allowed researchers to view their live targeting logic.
Impact or Scale
This Mexican banking fraud targets a broad financial ecosystem. Victims include retail bank customers, business accounts, and cryptocurrency traders. The operation poses a massive financial risk to users across the region.
Operators manage infected machines through a live dashboard. The malware beacons back to the server every thirty seconds. If the operator spots a valuable target, they can deploy a remote access tool. This gives the hacker direct control over the infected computer.
They can also launch a targeted vishing attack. This module displays an unbreakable fake bank warning on the screen. It urges the victim to call a fake support number. The report explains, “The vishing engine is what turns a commodity-looking PowerShell bundle into an operator-assisted fraud workflow.”
The total financial damage remains unconfirmed. However, live victim counters on the command panels indicate ongoing success.
What Comes Next
REF6045 maintains a self-update mechanism within SCMBANKER. The malware checks for updates regularly. Operators can push new code without losing their remote access.
Internet users must remain extremely cautious. Legitimate websites will never ask you to run code to verify your identity. You should always close unexpected pop-ups immediately.
Security teams should block known malicious domains. They must also monitor for unusual bitsadmin network activity. Endpoint protection tools can often detect unauthorized clipboard modifications. Analysts detailed these defense strategies in a recent Elastic Security Labs analysis.
Defenders must adapt to new threats quickly. AI tools now allow less experienced hackers to create dangerous malware. Continuous network monitoring and user education offer the strongest defense against these evolving tactics.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.