Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1810+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
NEWS

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

A new banking fraud campaign tracked as REF6045 is deploying SCMBANKER malware through fake CAPTCHA ClickFix lures to steal credentials from customers of Mexican banks, fintech platforms, payment processors, and cryptocurrency exchanges.

Dylan H.

News Desk

July 8, 2026
3 min read

Overview

Elastic Security Labs has identified a new banking fraud operation targeting customers of Mexican financial institutions. The campaign — tracked under the cluster designation REF6045 — deploys a malware strain dubbed SCMBANKER using ClickFix social engineering lures to trick victims into executing malicious payloads on their own machines.

The threat activity targets a broad swath of Mexico's financial ecosystem, including traditional banks, fintech apps, payment processors, and cryptocurrency exchanges.

The ClickFix Technique

ClickFix is an increasingly popular social engineering method where attackers present victims with a fake CAPTCHA verification page or browser error prompt. The page instructs the user to copy and paste a command into their terminal or Run dialog — often framed as necessary to "fix" a browser problem or prove they're human.

In the REF6045 campaign, victims encounter ClickFix lures that deliver the SCMBANKER malware payload when executed. This approach is particularly effective because:

  • It bypasses browser-based malware download warnings
  • It relies on the user voluntarily running the malicious code
  • The social engineering pretext (CAPTCHA, browser fix) appears plausible to non-technical users
  • Traditional email filtering and web proxies are often ineffective against clipboard-based delivery

SCMBANKER Capabilities

SCMBANKER is a banking-focused credential stealer designed to target Mexican financial services. Based on Elastic's analysis, key capabilities include:

  • Credential harvesting: Captures login credentials for targeted banking and fintech platforms
  • Form grabbing: Intercepts credentials entered into browser-based banking portals
  • Persistence mechanisms: Establishes foothold on infected systems for ongoing access
  • Targeting of crypto exchanges: Beyond traditional banking, the malware specifically targets cryptocurrency platforms popular in Mexico

Targeted Organizations

The campaign focuses on customers of:

  • Major Mexican commercial banks
  • Fintech and digital banking applications
  • Payment processing platforms
  • Cryptocurrency exchanges operating in the Mexican market

This targeted approach — rather than generic credential stealing — suggests REF6045 has conducted reconnaissance on the Mexican financial sector and tailored SCMBANKER's targeting logic accordingly.

Why ClickFix Campaigns Are Surging

ClickFix has become one of the dominant initial access techniques of 2026. Several factors drive its proliferation:

  1. High success rate: Users comply because the instructions appear authoritative and the fix seems urgent
  2. Low technical barrier: Attackers don't need to exploit browser vulnerabilities — they exploit human psychology
  3. Difficult to detect: Clipboard-based execution chains evade many endpoint controls until the payload runs
  4. Adaptable: The technique works across Windows, macOS, and Linux with minimal modification

Multiple threat actor groups have adopted ClickFix, ranging from nation-state APTs to cybercriminal organizations — making it one of the most versatile social engineering techniques in active use.

Recommendations

For individuals and organizations in Mexico's financial sector:

  1. Educate users about ClickFix: Staff and customers should understand that legitimate websites never ask users to paste commands into their terminal or Run dialog.
  2. Deploy endpoint detection: Modern EDR solutions can detect the execution patterns associated with ClickFix-delivered malware.
  3. Enable MFA on financial accounts: Multi-factor authentication limits the damage from stolen credentials.
  4. Monitor for unusual login activity: Alert on logins from new devices, unusual geographic locations, or off-hours access.
  5. Browser isolation: Consider browser isolation technology for users who regularly access sensitive financial portals.

References

  • The Hacker News — SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
  • Elastic Security Labs — REF6045 Research
#Malware#APT#The Hacker News#ClickFix#Banking Trojan#Mexico#Financial Security

Related Articles

China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

Cisco Talos researchers have identified new LONGLEASH malware deployed by Chinese APT group UAT-7810 to expand its Operational Relay Box network, targeting internet-facing networking devices to build stealthy proxy infrastructure.

4 min read

Gamaredon Expands Ukraine Attacks with New Malware and Cloud Abuse

Russian FSB-linked APT group Gamaredon has mounted 35 distinct spear-phishing campaigns against Ukrainian targets in 2025, deploying an expanded malware...

5 min read

FIRESTARTER Backdoor Hit Federal Cisco Firepower Device

CISA and the UK's NCSC have revealed that a US federal civilian agency's Cisco Firepower device running ASA software was compromised in September 2025...

7 min read
Back to all News