A fake Google verification page is being used to infect customers of Mexican banks with a malware toolkit built for fraud, not just espionage.
The campaign relies on a familiar ClickFix trick, where a victim is pushed to copy and run a command that quietly starts the infection chain.
From there, the attackers can watch for banking activity, interfere with sessions, and steer victims toward phone-based scams and phishing pages.
The operation, tracked as REF6045, is notable because it is guided by a human operator who decides when to escalate against each victim.
The malware family, named SCMBANKER, has components that date back to at least October 2025, while Elastic telemetry first surfaced one of the active infections in June 2026.
Its focus is broad inside Mexico’s financial ecosystem, spanning retail banks, business banking portals, fintech services, payment processors, cryptocurrency exchanges, investment platforms, SAT services, and telecom providers.
Researchers at Elastic Security Labs identified the campaign and described it as a ClickFix delivery chain adapted for operator-assisted banking fraud.
Elastic said in a report shared with Cyber Security News (CSN) that the attackers use fake verification pages to plant the toolkit, then turn infected machines into a live feed for financial abuse.
The result is a campaign that may look crude on the surface but is built to cash out quickly once a target logs in to the right service.
What makes the threat stand out is how much control the operators keep after the initial compromise.
They can capture screenshots, redirect a browser to phishing pages, replace payment details copied to the clipboard, lock the screen behind fake warnings, and even deploy a remote access tool for full hands-on control.
Elastic also found signs that large language models helped write much of the code, lowering the barrier for criminals who want useful features without deep development skill.
ClickFix Campaign Uses Fake Google Verification Page
The infection starts on fake CAPTCHA or verification pages dressed up as a security check, including prompts in Spanish and fake Google security wording.
After the challenge, the page copies a command that pulls a first-stage script and pipes it into the Windows command shell.
That script opens a fake Windows Update screen, pressures the victim for administrator approval, traps the mouse, and then uses bitsadmin to download the rest of the toolkit into the public user directory.
.webp)
Elastic found several related delivery sites and file servers using the same pattern, which suggests reuse of the same kit across multiple deployments.
The exposed infrastructure also showed poor security on the attacker side, including open directories, a leaked web root archive, and an unauthenticated editor tied to live targeting files.
For defenders, that means suspicious PowerShell activity, bitsadmin downloads, odd use of Windows Run, and scripts launched from unusual directories deserve immediate attention before the fraud stage begins.
User education also matters, because the attack succeeds only when a victim trusts the fake prompt and manually launches it.
Fraud Workflow After Infection
Once SCMBANKER is established, it checks open window titles for bank names and other financial services, then alerts the operator when a useful session appears.
That visibility lets the actor decide whether to trigger screenshots, a phishing redirect, a vishing overlay that pushes the victim to call for help, or clipboard hijacking aimed at account and card data.
.webp)
In higher-value cases, the toolkit can silently install a commercial remote access tool so the attacker can work directly on the victim machine.
The campaign matters because it combines simple social engineering with real-time decision making, which can turn a single copied command into stolen payments or a full account takeover.
Elastic’s prevention guidance points to monitoring suspicious Run key changes, curl downloads piped into cmd, and DNS lookups tied to suspicious domains, alongside broader detection for script interpreters and remote access abuse.
Even though the malware is messy and full of copy-paste code, the live victim management seen in the operation shows it is already causing real harm.
Indicators of compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IPv4 | 68.211.161[.]46 | ClickFix / file host |
| IPv4 | 216.250.112[.]100 | ClickFix / file host |
| IPv4 | 185.242.246[.]169 | REF6045 C2 |
| Domain | ratonvaquero2026[.]online | ClickFix / file host |
| Domain | monteviral2026.duckdns[.]org | ClickFix / file host |
| Domain | osogransd[.]online | ClickFix / file host |
| Domain | negratomasa2026[.]online | REF6045 C2 |
| Domain | gestionmontelavaria2026[.]online | REF6045 C2 |
| Domain | ssinvestigaciones[.]com | ClickFix post-CAPTCHA tracking endpoint |
| Domain | bancaporinternetbbmx[.]online | BanBajio phishing page |
| SHA-256 | b30cb0aa977aacdab94d2ef503186c8f0b2fc10d7cf0d7c7c0ada70c127dc7e8 | zkt.zip exposed web-root archive |
| SHA-256 | 554f1aefeb698995501751328c2f9fe93f02a680679fba3dd15f1ed93d46bf1b | validation.txt first-stage batch payload |
| SHA-256 | ff3555154e91e42490cc722b6c7f3c4c91654b7ef53a35d0719ffb89accf1b27 | run.vbs master launcher |
| SHA-256 | 526287a40aad1b218228cdd1f459ad3b93f858585048347644d597c6ab19515a | cliente.ps1 C2 beacon |
| SHA-256 | 685d29ce8a550feb3a9e1d1c5926ec5e927615cf34aab62c108a812a1eb6737c | jujuzkt.ps1 banking activity monitor |
| SHA-256 | 8c87ea94401fa97d3743a87604e088d1a29c7b06cf9673623941a42da68452a6 | jujuzkt2.ps1 active browser redirect module |
| SHA-256 | 6dcd7fdd5e088d98d861cbd1cb74a7b83ae5508f4dbb617413bcbe7fbc8a82e2 | mensaje1.ps1 vishing dispatcher |
| SHA-256 | 4d9c160ebb44507b11f0e6421f691900284f25b5530a23d9fd50de0ae01663ca | mensaje.ps1 hard-lock vishing overlay |
| SHA-256 | 0315d4a7bc14654ad66d4c2b98920b92ca18cbc231b3ce5fba1fcac70b828e19 | mensajeoff.ps1 soft-lock vishing overlay |
| SHA-256 | 5d17645548a44fe39d3cc816ffa3933321c1eb8b08a8f4348e3cd82f25112c81 | rotor1.ps1 screenshot module invoker |
| SHA-256 | 566f4bfdfea54129b8528d50cae187a9030e2f2787749add4b0db22ac35ea581 | screen2.ps1 screenshot module |
| SHA-256 | 882d582e85d5bb7abbdde791a2d52e3b1bb7dd7f79c20318ce64b74249221fdb | rotor2.ps1 vishing dispatcher rotator |
| SHA-256 | eea08fbf3720d638af1d313d3ce369708b77d7891379d5c5871dd7f36667ed0c | clip.ps1 CLABE clipboard hijacker |
| SHA-256 | 70140aa236d630a7d5ed08be3dafcccea9a8b0eec6dadf8c1cf1b96d8f608609 | clip2.ps1 card-number clipboard hijacker |
| SHA-256 | 6c8ba7127a83431432e85946976c18bb3f3e9bf9def68aae572cd1d9d73604c7 | avs.ps1 Remote Utilities downloader |
| SHA-256 | 81a4512db985359ed361755da58a1177b07632b5aee951c68a6ace54f4d0534b | instaler.ps1 Remote Utilities installer launcher |
| SHA-256 | 3d9015429d65276869ceb9c91f10d6474b1098042db75949c49b9f1682c1f3ae | remoto.ps1 Remote Utilities configurator |
| SHA-256 | 5bc85b604eb37ffa1e67c57f4744b55ef876a1ab442e2a2440550ef0922aeec7 | correr.ps1 arbitrary PowerShell executor |
| SHA-256 | 30ff24faad80184bb43660a8bd317df99a8d09d31bae3b446aaa876543f2620f | key.ps1 Telegram-backed keylogger |
| SHA-256 | 4b7b35b921d7615b7a82a42c379560d1b0c5a74c81311a269874195ba2744f2d | cursor2.exe invisible-cursor utility |
| SHA-256 | 32d981b3e7c36aa7030cfd9ee412bff742e00b36c39c80634b2681f89de4a487 | hosts.msi Remote Utilities installer |
| SHA-256 | cd7b179dd98848a02b9a1d4ebfeee26cdbb317b4ad53eb50786e18515b0cf804 | ini.ps1 delayed launcher |
| SHA-256 | 345e8a90b7b762b065333cd068811d88086d157be713d89bdf200c927645f3d8 | remo.ps1 IP-gated launcher |
| SHA-256 | 0ec9b518f84b6bdc0e843b89fa755522ec67db862414ad16bdcaa8c2be25485c | edifhjwe.ps1 self-updater |
| SHA-256 | 26f906a2a4276b1968a8ce956a7b342aa9bc26f60d32c14668223877f569fb3f | rotor.ps1 keylogger rotator |
| SHA-256 | 13bfd0f695cea1d6ae570a7ca056ffe930467be73a26f29f95209618f383bd2d | 4.bat early version of run.vbs |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

