Close Menu
    What's Hot

    Wimbledon: Can Arthur Fery follow in Emma Raducanu’s footsteps and become the latest Brit to win a Grand Slam title as a rank outsider? | Tennis News

    A self-driving Waymo just reported its own passengers to police

    Democrats Grow Frustrated as Graham Platner Resists Dropping Out Quickly in Maine

    Facebook X (Twitter) Instagram
    Trending
    • Wimbledon: Can Arthur Fery follow in Emma Raducanu’s footsteps and become the latest Brit to win a Grand Slam title as a rank outsider? | Tennis News
    • A self-driving Waymo just reported its own passengers to police
    • Democrats Grow Frustrated as Graham Platner Resists Dropping Out Quickly in Maine
    • Divisions Festered Within Iran Over Talks With the U.S.
    • India’s Modi Seeks to Project Influence on Asia-Pacific Trip
    • Indonesia’s stock market hit with second downgrade warning
    • WEAT: Wheat Commodity Exposure Through A Passive Futures Strategy (NYSEARCA:WEAT)
    • SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

    adminBy adminJuly 8, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
    Share
    Facebook Twitter LinkedIn Pinterest Email

    SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

    A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures.

    The activity cluster, tracked by Elastic Security Labs under the moniker REF6045, involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed SCMBANKER. Some components of the malware date back to October 2025.

    “Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard,” security researchers Jia Yu Chan and Salim Bitam said. “For a full takeover, they can also deploy a commercial remote-access tool.”

    SCMBANKER is specifically designed to go after Mexico’s financial ecosystem, with evidence pointing to the use of a large language model (LLM) to develop a huge chunk of the tooling. The toolkit supports a wide range of capabilities, including banking-session monitoring, screenshot capture, vishing overlays, phishing redirects, clipboard manipulation, and Remote Utilities installation.

    Elastic’s findings stem from an operational security lapse in the REF6045 infrastructure, which made it possible to retrieve a ZIP archive containing the operation’s full web root directory from an open directory located at “68.211.161[.]46.”

    Cybersecurity

    The starting point is a fake CAPTCHA check that disguises itself as a security verification page, urging potential victims to solve a Google reCAPTCHA-like challenge to identify images containing a fire hydrant. Once the step is complete, they are presented with instructions to copy and paste a malicious command into the Windows Run dialog.

    This, in turn, triggers the execution of a batch script that’s responsible for installing the malware through a multi-stage process, starting with a bogus Windows update screen.

    “The batch script immediately launches Microsoft Edge in kiosk mode pointing to fakeupdate[.]net, a well-known pentesting/red team site that renders a fake Windows Update screen,” Elastic said. “This distraction buys time for the script to fully execute.”

    In the next stage, the script checks if it’s running as admin, and if not, launches a Windows User Account Control (UAC) prompt every 20 seconds, effectively nudging the victim towards clicking “Yes” on the consent dialog. As soon as it gains elevated privileges, it locks mouse movement. This behavior, combined with the fake Windows update screen, forces the victim to stay, giving the malware ample time to download the complete toolset in the background using the bitsadmin tool from the same directory.

    After SCMBANKER components are downloaded onto the compromised host, it sets up persistence using the Windows Startup folder and a Registry Run key, following which it programmatically sends an F11 keypress event to exit full screen and initiate a “Ctrl+W” keypress sequence to close the fake Windows update tab.

    “However, this approach only works in a standard full-screen browser window, not in kiosk mode,” Elastic said. “It then forces a reboot with the shutdown /r /t 02 command and switches. Upon restart, the previous persistence mechanism via the Registry Run key triggers execution of the VBScript file (‘run.vbs’).”

    The Visual Basic Script serves as a master launcher to run several modules in parallel –

    • edifhjwe.ps1, for toolkit self-update
    • cliente.ps1, for command-and-control (C2) beacon and implant control
    • avs.ps1, for downloading the Remote Utilities RAT installer to facilitate hands-on access to a victim’s machine
    • clip.ps1 and clip2.ps1, for CLABE account number and card number, clipboard hijack to reroute transactions
    • correr.ps1, for arbitrary PowerShell execution
    • ini.ps1, a launcher for “jujuzkt.ps1,” a banking activity monitor that checks all visible window titles every second for matches against a list of Mexican financial institutions and, if a match is found, takes screenshots and logs keystrokes
    • rotor2.ps1, a wrapper for “mensaje1.ps1,” a vishing engine that serves fake overlays with security warnings instructing victims to call certain phone numbers 
    • remo.ps1, an IP address-gated launcher for “jujuzkt2.ps1,” a browser redirector that matches window titles against a list, and if a configured URL is present, places a phishing URL on the clipboard, makes the browser, and sends a series of keypress events (Ctrl+L, Ctrl+V, and Enter) to take the victim to the phishing landing page

    One such redirect destination, “‘bancaporinternetbbmx[.]online,” contains a page-load Telegram notification script that harvests browser, device, and IP address details, and sends the information to a Telegram chat, alerting the operator that a redirected victim has reached the lure for follow-on attacks.

    Cybersecurity

    “The scripts show strong signs of AI assistance, most likely by prompting a large language model in Spanish and then applying manual obfuscation afterward,” Elastic said.

    “The code has a split personality, with clean, descriptive function names and heavy explanatory comments sitting next to hand-shortened variables and leftover generation artifacts. The placement of instruction-like comments directly above the code they describe suggests the authors have prompted an inline coding assistant such as Copilot or Cursor.”

    Taken together, the findings represent the work of a threat actor who has leaned on AI to assemble a crude toolset that’s best characterized by copy-paste batch files, shoddy craftsmanship, and operational security lapses.

    “Victims are kept as a passive feed while the operator watches a live dashboard and engages only the targets worth the effort, switching on browser redirects, vishing lockdowns, clipboard swaps, or a full RAT by IP, on demand,” the researchers concluded. “Crude as it is, SCMBANKER already has real victims. The live victim counter and the labeled, tagged machines on the operator’s own panels show that individual people are being actively targeted.”

    banking ClickFix Lures Malware Mexican SCMBANKER Target users
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleU.S.-Iran Cease-Fire Is ‘Over’ After Strikes Resume in Strait of Hormuz
    Next Article WEAT: Wheat Commodity Exposure Through A Passive Futures Strategy (NYSEARCA:WEAT)
    admin
    • Website

    Related Posts

    New Ghost Phishing Wave Is Breaking Traditional Email Security

    July 8, 2026

    AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

    July 8, 2026

    New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware

    July 8, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Wimbledon: Can Arthur Fery follow in Emma Raducanu’s footsteps and become the latest Brit to win a Grand Slam title as a rank outsider? | Tennis News

    A self-driving Waymo just reported its own passengers to police

    Democrats Grow Frustrated as Graham Platner Resists Dropping Out Quickly in Maine

    Divisions Festered Within Iran Over Talks With the U.S.

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by