CyberSecurityNews

ClickFix Campaign Uses Fake Google Verification Page to Infect Mexican Bank Customers


A fake Google verification page is being used to infect customers of Mexican banks with a malware toolkit built for fraud, not just espionage.

The campaign relies on a familiar ClickFix trick, where a victim is pushed to copy and run a command that quietly starts the infection chain.

From there, the attackers can watch for banking activity, interfere with sessions, and steer victims toward phone-based scams and phishing pages.

The operation, tracked as REF6045, is notable because it is guided by a human operator who decides when to escalate against each victim.

The malware family, named SCMBANKER, has components that date back to at least October 2025, while Elastic telemetry first surfaced one of the active infections in June 2026.

Its focus is broad inside Mexico’s financial ecosystem, spanning retail banks, business banking portals, fintech services, payment processors, cryptocurrency exchanges, investment platforms, SAT services, and telecom providers.

Researchers at Elastic Security Labs identified the campaign and described it as a ClickFix delivery chain adapted for operator-assisted banking fraud. 

Elastic said in a report shared with Cyber Security News (CSN) that the attackers use fake verification pages to plant the toolkit, then turn infected machines into a live feed for financial abuse.

The result is a campaign that may look crude on the surface but is built to cash out quickly once a target logs in to the right service.

REF6045 SCMBANKER execution chain from ClickFix lure (Source – Elastic)

What makes the threat stand out is how much control the operators keep after the initial compromise.

They can capture screenshots, redirect a browser to phishing pages, replace payment details copied to the clipboard, lock the screen behind fake warnings, and even deploy a remote access tool for full hands-on control.

Elastic also found signs that large language models helped write much of the code, lowering the barrier for criminals who want useful features without deep development skill.

ClickFix Campaign Uses Fake Google Verification Page

The infection starts on fake CAPTCHA or verification pages dressed up as a security check, including prompts in Spanish and fake Google security wording.

After the challenge, the page copies a command that pulls a first-stage script and pipes it into the Windows command shell.

That script opens a fake Windows Update screen, pressures the victim for administrator approval, traps the mouse, and then uses bitsadmin to download the rest of the toolkit into the public user directory.

Fake Windows Update screen (Source - Elastic)
Fake Windows Update screen (Source – Elastic)

Elastic found several related delivery sites and file servers using the same pattern, which suggests reuse of the same kit across multiple deployments.

The exposed infrastructure also showed poor security on the attacker side, including open directories, a leaked web root archive, and an unauthenticated editor tied to live targeting files.

For defenders, that means suspicious PowerShell activity, bitsadmin downloads, odd use of Windows Run, and scripts launched from unusual directories deserve immediate attention before the fraud stage begins.

User education also matters, because the attack succeeds only when a victim trusts the fake prompt and manually launches it.

Fraud Workflow After Infection

Once SCMBANKER is established, it checks open window titles for bank names and other financial services, then alerts the operator when a useful session appears.

That visibility lets the actor decide whether to trigger screenshots, a phishing redirect, a vishing overlay that pushes the victim to call for help, or clipboard hijacking aimed at account and card data.

JavaScript code sending victim device and location data (Source - Elastic)
JavaScript code sending victim device and location data (Source – Elastic)

In higher-value cases, the toolkit can silently install a commercial remote access tool so the attacker can work directly on the victim machine.

The campaign matters because it combines simple social engineering with real-time decision making, which can turn a single copied command into stolen payments or a full account takeover.

Elastic’s prevention guidance points to monitoring suspicious Run key changes, curl downloads piped into cmd, and DNS lookups tied to suspicious domains, alongside broader detection for script interpreters and remote access abuse.

Even though the malware is messy and full of copy-paste code, the live victim management seen in the operation shows it is already causing real harm.

Indicators of compromise (IoCs):-

TypeIndicatorDescription
IPv468.211.161[.]46 ClickFix / file host 
IPv4216.250.112[.]100 ClickFix / file host 
IPv4185.242.246[.]169 REF6045 C2 
Domainratonvaquero2026[.]online ClickFix / file host 
Domainmonteviral2026.duckdns[.]org ClickFix / file host 
Domainosogransd[.]online ClickFix / file host 
Domainnegratomasa2026[.]online REF6045 C2 
Domaingestionmontelavaria2026[.]online REF6045 C2 
Domainssinvestigaciones[.]com ClickFix post-CAPTCHA tracking endpoint 
Domainbancaporinternetbbmx[.]online BanBajio phishing page 
SHA-256b30cb0aa977aacdab94d2ef503186c8f0b2fc10d7cf0d7c7c0ada70c127dc7e8 zkt.zip exposed web-root archive 
SHA-256554f1aefeb698995501751328c2f9fe93f02a680679fba3dd15f1ed93d46bf1b validation.txt first-stage batch payload 
SHA-256ff3555154e91e42490cc722b6c7f3c4c91654b7ef53a35d0719ffb89accf1b27 run.vbs master launcher 
SHA-256526287a40aad1b218228cdd1f459ad3b93f858585048347644d597c6ab19515a cliente.ps1 C2 beacon 
SHA-256685d29ce8a550feb3a9e1d1c5926ec5e927615cf34aab62c108a812a1eb6737c jujuzkt.ps1 banking activity monitor 
SHA-2568c87ea94401fa97d3743a87604e088d1a29c7b06cf9673623941a42da68452a6 jujuzkt2.ps1 active browser redirect module 
SHA-2566dcd7fdd5e088d98d861cbd1cb74a7b83ae5508f4dbb617413bcbe7fbc8a82e2 mensaje1.ps1 vishing dispatcher 
SHA-2564d9c160ebb44507b11f0e6421f691900284f25b5530a23d9fd50de0ae01663ca mensaje.ps1 hard-lock vishing overlay 
SHA-2560315d4a7bc14654ad66d4c2b98920b92ca18cbc231b3ce5fba1fcac70b828e19 mensajeoff.ps1 soft-lock vishing overlay 
SHA-2565d17645548a44fe39d3cc816ffa3933321c1eb8b08a8f4348e3cd82f25112c81 rotor1.ps1 screenshot module invoker 
SHA-256566f4bfdfea54129b8528d50cae187a9030e2f2787749add4b0db22ac35ea581 screen2.ps1 screenshot module 
SHA-256882d582e85d5bb7abbdde791a2d52e3b1bb7dd7f79c20318ce64b74249221fdb rotor2.ps1 vishing dispatcher rotator 
SHA-256eea08fbf3720d638af1d313d3ce369708b77d7891379d5c5871dd7f36667ed0c clip.ps1 CLABE clipboard hijacker 
SHA-25670140aa236d630a7d5ed08be3dafcccea9a8b0eec6dadf8c1cf1b96d8f608609 clip2.ps1 card-number clipboard hijacker 
SHA-2566c8ba7127a83431432e85946976c18bb3f3e9bf9def68aae572cd1d9d73604c7 avs.ps1 Remote Utilities downloader 
SHA-25681a4512db985359ed361755da58a1177b07632b5aee951c68a6ace54f4d0534b instaler.ps1 Remote Utilities installer launcher 
SHA-2563d9015429d65276869ceb9c91f10d6474b1098042db75949c49b9f1682c1f3ae remoto.ps1 Remote Utilities configurator 
SHA-2565bc85b604eb37ffa1e67c57f4744b55ef876a1ab442e2a2440550ef0922aeec7 correr.ps1 arbitrary PowerShell executor 
SHA-25630ff24faad80184bb43660a8bd317df99a8d09d31bae3b446aaa876543f2620f key.ps1 Telegram-backed keylogger 
SHA-2564b7b35b921d7615b7a82a42c379560d1b0c5a74c81311a269874195ba2744f2d cursor2.exe invisible-cursor utility 
SHA-25632d981b3e7c36aa7030cfd9ee412bff742e00b36c39c80634b2681f89de4a487 hosts.msi Remote Utilities installer 
SHA-256cd7b179dd98848a02b9a1d4ebfeee26cdbb317b4ad53eb50786e18515b0cf804 ini.ps1 delayed launcher 
SHA-256345e8a90b7b762b065333cd068811d88086d157be713d89bdf200c927645f3d8 remo.ps1 IP-gated launcher 
SHA-2560ec9b518f84b6bdc0e843b89fa755522ec67db862414ad16bdcaa8c2be25485c edifhjwe.ps1 self-updater 
SHA-25626f906a2a4276b1968a8ce956a7b342aa9bc26f60d32c14668223877f569fb3f rotor.ps1 keylogger rotator 
SHA-25613bfd0f695cea1d6ae570a7ca056ffe930467be73a26f29f95209618f383bd2d 4.bat early version of run.vbs 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.



Source link