Some components of the malware date back to October 2025, yet the operation is active and aimed squarely at Mexico’s financial ecosystem, Elastic Security Labs found.
A newly documented campaign, tracked by Elastic Security Labs as REF6045, uses fake CAPTCHA pages and social-engineered prompts to trick Mexican banking customers, fintech users, payment-processor clients, and cryptocurrency exchange customers into installing a PowerShell toolkit dubbed SCMBANKER. The researchers attribute the discovery to an operational security lapse that exposed the attacker’s web root and a ZIP archive on an open directory.
REF6045 infection chain: fake CAPTCHA, Run dialog, and a staged Windows update
The intrusion begins with a deceptive CAPTCHA page that mimics a Google reCAPTCHA-style verification, asking victims to select images showing a fire hydrant. After completing the image selection, victims are told to copy and paste a command into the Windows Run dialog. That single action launches a batch script which drives a multi-stage install.
Elastic observed the batch script immediately launch Microsoft Edge in kiosk mode and point it at fakeupdate[.]net to render a fake Windows Update screen—an intentional distraction. The script checks for administrative privileges; if it lacks them, it fires a Windows User Account Control (UAC) prompt every 20 seconds to pressure the user into granting consent. Once elevated, the script locks mouse movement and uses bitsadmin to download the SCMBANKER components in the background.
After installation the malware sets persistence using the Windows Startup folder and a Registry Run key, then performs scripted keypresses (including an F11 to exit full screen, Ctrl+W to close the update tab) before forcing a reboot with shutdown /r /t 02. On restart the Registry Run key triggers execution of a VBScript file named run.vbs, which acts as the master launcher for the toolkit.
SCMBANKER toolkit: modules and malicious capabilities
- edifhjwe.ps1 — toolkit self-update
- cliente.ps1 — command-and-control (C2) beacon and implant control
- avs.ps1 — downloads a Remote Utilities RAT installer for hands-on access
- clip.ps1 and clip2.ps1 — clipboard hijacks for CLABE account numbers and card numbers
- correr.ps1 — arbitrary PowerShell execution
- ini.ps1 launching jujuzkt.ps1 — a banking activity monitor that checks visible window titles every second for matches to a list of Mexican financial institutions and, on match, takes screenshots and logs keystrokes
- rotor2.ps1 wrapping mensaje1.ps1 — a vishing engine that displays fake overlays with security warnings and instructs victims to call phone numbers provided by the operator
- remo.ps1 gating jujuzkt2.ps1 by IP — a browser redirector that places a phishing URL on the clipboard and automates keypresses (Ctrl+L, Ctrl+V, Enter) to send victims to phishing landings
One redirect landing, bancaporinternetbbmx[.]online, hosts a page-load Telegram notification script that harvests browser, device, and IP details and posts them to a Telegram chat to alert operators that a victim reached the lure.
AI-assisted code and operational security lapses
Elastic reports “strong signs of AI assistance, most likely by prompting a large language model in Spanish and then applying manual obfuscation afterward.” The analysts point to a “split personality” in the source: tidy function names and explanatory comments alongside hand-shortened variables and leftover generation artifacts. The placement of instruction-like comments directly above corresponding code suggests inline coding assistants such as Copilot or Cursor were used.
Crucially, an exposed web root at 68.211.161[.]46 allowed researchers to retrieve a ZIP archive containing the operation’s full web directory—an operational security lapse that made full analysis possible.
How operators run live attacks and what they can do to victims
Elastic’s report describes an operator workflow that treats victims as a passive feed: the implant notifies a dashboard when a user opens a banking session, and operators selectively enable tactics. “Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard,” researchers Jia Yu Chan and Salim Bitam wrote. “For a full takeover, they can also deploy a commercial remote-access tool.”
That control is granular: operators can switch on browser redirects, enable vishing lockdown overlays, perform clipboard swaps that reroute transferred account numbers, or install a RAT to assume direct control by IP. Elastic notes a live victim counter and labeled, tagged machines on the operator panels, indicating active targeting of real people.
What this means for Mexican banks, fintechs, and end users
- Mexican banks and payment processors: SCMBANKER’s window-title monitoring and automated redirects target sessions tied to named local institutions. Financial operators should be aware that fraud can be driven by clipboard substitution and post-redirection capture rather than only traditional credential theft.
- Fintechs and crypto exchanges: automated URL redirects to phishing landings and a Telegram alerting mechanism allow operators to triage victims for follow-on social engineering or hands-on access—threat actors are combining automated collection with human decision-making.
- End users: the campaign relies on social engineering steps you can observe—fake CAPTCHA pages, instructions to paste commands into the Run dialog, persistent UAC prompts every 20 seconds, a fake Windows Update screen, and unexpected requests to call phone numbers shown in overlays.
Elastic’s analysis paints SCMBANKER as a blunt but effective toolkit: cobbled together, partially AI-assisted, and operationally exposed—but already in active use against Mexican financial customers. The combination of simple Windows features (Run, UAC, Registry Run, bitsadmin), clipboard manipulation, and a commercial RAT offers attackers multiple paths to monetize a compromised session. The public recovery of the operation’s web root provided a rare, complete view into an active campaign that continues to show victims in the operator’s panels.




