Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

SCMBANKER active against Mexican banks — Elastic REF6045

Elastic Security Labs is tracking SCMBANKER (REF6045), a PowerShell fraud toolkit hitting Mexican banks, fintechs, and crypto exchanges via ClickFix lures.

airgap · Published · 2 min read

Active. Confidence: high on the campaign, sourced to Elastic Security Labs. Attribution: none — cluster only.

Elastic Security Labs published details Tuesday on SCMBANKER, a PowerShell-based banking fraud toolkit operating against Mexican retail banks, business banking portals, fintechs, payment processors, cryptocurrency exchanges, investment platforms, the SAT tax portal, and telecom services. Elastic tracks it as cluster REF6045. No mapping to a known-actor group.

Timeline

  • October 2025 — earliest SCMBANKER components observed, per Elastic.
  • Through June 2026 — operations continue. Confidence: Elastic-tracked window.
  • 2026-07-08 — Elastic publishes the full write-up. Twenty-nine SHA-256 hashes, six IPs, nine domains, nine detection rules released alongside.

Chain, at Elastic’s own abstraction

  • Lure. ClickFix. A fake CAPTCHA page instructs the visitor to run a “verification” command in the Windows Run dialog. Confidence on the technique: broadly documented since 2024. SCMBANKER is one of many operators using it, not the origin.
  • First stage. A batch script pulls the PowerShell toolkit via bitsadmin. A fake Windows Update screen served from fakeupdate[.]net covers the install window.
  • Persistence. Registry Run keys and the startup folder.
  • Beacon. Victim status posted to the operator dashboard on a 30-second cadence.
  • Fraud. The operator selects per-victim: vishing overlays, browser redirects to phishing pages, clipboard account-number replacement, or full remote-access installation via the legitimate Remote Utilities RAT for hands-on-keyboard cash-out.

The operational payloads are not reproduced here. Elastic’s write-up carries the technical depth for defenders who need it.

Named impersonation

Elastic named one observed phishing destination: bancaporinternetbbmx[.]online, impersonating BanBajío. Other targeted institutions are not named in the public write-up. Confidence on that gap: this is what Elastic published, not what they know.

Elastic also notes the operator’s scripts show “strong signs of AI assistance, most likely by prompting a large language model in Spanish.” Confidence: Elastic’s assessment, no out-of-band corroboration.

What defenders can act on today

Elastic’s protections-artifacts repository carries the nine detection rules — suspicious PowerShell execution, bitsadmin transfers, registry persistence patterns, clipboard access, external-IP discovery. Twenty-nine file hashes, six IPs, and nine domains are in the Security Labs post.

If you defend a Mexican financial institution or a fintech operating in Mexico: pull the IoCs. Hunt for bitsadmin transfers to unfamiliar hosts and 30-second-cadence beacons on egress. Any Remote Utilities install on a workstation with no ticket for one is worth pulling — that’s the cash-out foothold, not a support artifact.

Sourcing

Found this useful? Share it.