SCMBANKER active against Mexican banks — Elastic REF6045
Elastic Security Labs is tracking SCMBANKER (REF6045), a PowerShell fraud toolkit hitting Mexican banks, fintechs, and crypto exchanges via ClickFix lures.
Active. Confidence: high on the campaign, sourced to Elastic Security Labs. Attribution: none — cluster only.
Elastic Security Labs published details Tuesday on SCMBANKER, a PowerShell-based banking fraud toolkit operating against Mexican retail banks, business banking portals, fintechs, payment processors, cryptocurrency exchanges, investment platforms, the SAT tax portal, and telecom services. Elastic tracks it as cluster REF6045. No mapping to a known-actor group.
Timeline
- October 2025 — earliest SCMBANKER components observed, per Elastic.
- Through June 2026 — operations continue. Confidence: Elastic-tracked window.
- 2026-07-08 — Elastic publishes the full write-up. Twenty-nine SHA-256 hashes, six IPs, nine domains, nine detection rules released alongside.
Chain, at Elastic’s own abstraction
- Lure. ClickFix. A fake CAPTCHA page instructs the visitor to run a “verification” command in the Windows Run dialog. Confidence on the technique: broadly documented since 2024. SCMBANKER is one of many operators using it, not the origin.
- First stage. A batch script pulls the PowerShell toolkit via
bitsadmin. A fake Windows Update screen served fromfakeupdate[.]netcovers the install window. - Persistence. Registry Run keys and the startup folder.
- Beacon. Victim status posted to the operator dashboard on a 30-second cadence.
- Fraud. The operator selects per-victim: vishing overlays, browser redirects to phishing pages, clipboard account-number replacement, or full remote-access installation via the legitimate Remote Utilities RAT for hands-on-keyboard cash-out.
The operational payloads are not reproduced here. Elastic’s write-up carries the technical depth for defenders who need it.
Named impersonation
Elastic named one observed phishing destination: bancaporinternetbbmx[.]online, impersonating BanBajío. Other targeted institutions are not named in the public write-up. Confidence on that gap: this is what Elastic published, not what they know.
Elastic also notes the operator’s scripts show “strong signs of AI assistance, most likely by prompting a large language model in Spanish.” Confidence: Elastic’s assessment, no out-of-band corroboration.
What defenders can act on today
Elastic’s protections-artifacts repository carries the nine detection rules — suspicious PowerShell execution, bitsadmin transfers, registry persistence patterns, clipboard access, external-IP discovery. Twenty-nine file hashes, six IPs, and nine domains are in the Security Labs post.
If you defend a Mexican financial institution or a fintech operating in Mexico: pull the IoCs. Hunt for bitsadmin transfers to unfamiliar hosts and 30-second-cadence beacons on egress. Any Remote Utilities install on a workstation with no ticket for one is worth pulling — that’s the cash-out foothold, not a support artifact.
Sourcing
- Elastic Security Labs, Mexican banking fraud: SCMBANKER (REF6045), 2026-07-08.
- Ravie Lakshmanan, SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users, The Hacker News, 2026-07-08.
Found this useful? Share it.

