Overview
Elastic Security Labs has identified a new banking fraud operation targeting customers of Mexican financial institutions. The campaign — tracked under the cluster designation REF6045 — deploys a malware strain dubbed SCMBANKER using ClickFix social engineering lures to trick victims into executing malicious payloads on their own machines.
The threat activity targets a broad swath of Mexico's financial ecosystem, including traditional banks, fintech apps, payment processors, and cryptocurrency exchanges.
The ClickFix Technique
ClickFix is an increasingly popular social engineering method where attackers present victims with a fake CAPTCHA verification page or browser error prompt. The page instructs the user to copy and paste a command into their terminal or Run dialog — often framed as necessary to "fix" a browser problem or prove they're human.
In the REF6045 campaign, victims encounter ClickFix lures that deliver the SCMBANKER malware payload when executed. This approach is particularly effective because:
- It bypasses browser-based malware download warnings
- It relies on the user voluntarily running the malicious code
- The social engineering pretext (CAPTCHA, browser fix) appears plausible to non-technical users
- Traditional email filtering and web proxies are often ineffective against clipboard-based delivery
SCMBANKER Capabilities
SCMBANKER is a banking-focused credential stealer designed to target Mexican financial services. Based on Elastic's analysis, key capabilities include:
- Credential harvesting: Captures login credentials for targeted banking and fintech platforms
- Form grabbing: Intercepts credentials entered into browser-based banking portals
- Persistence mechanisms: Establishes foothold on infected systems for ongoing access
- Targeting of crypto exchanges: Beyond traditional banking, the malware specifically targets cryptocurrency platforms popular in Mexico
Targeted Organizations
The campaign focuses on customers of:
- Major Mexican commercial banks
- Fintech and digital banking applications
- Payment processing platforms
- Cryptocurrency exchanges operating in the Mexican market
This targeted approach — rather than generic credential stealing — suggests REF6045 has conducted reconnaissance on the Mexican financial sector and tailored SCMBANKER's targeting logic accordingly.
Why ClickFix Campaigns Are Surging
ClickFix has become one of the dominant initial access techniques of 2026. Several factors drive its proliferation:
- High success rate: Users comply because the instructions appear authoritative and the fix seems urgent
- Low technical barrier: Attackers don't need to exploit browser vulnerabilities — they exploit human psychology
- Difficult to detect: Clipboard-based execution chains evade many endpoint controls until the payload runs
- Adaptable: The technique works across Windows, macOS, and Linux with minimal modification
Multiple threat actor groups have adopted ClickFix, ranging from nation-state APTs to cybercriminal organizations — making it one of the most versatile social engineering techniques in active use.
Recommendations
For individuals and organizations in Mexico's financial sector:
- Educate users about ClickFix: Staff and customers should understand that legitimate websites never ask users to paste commands into their terminal or Run dialog.
- Deploy endpoint detection: Modern EDR solutions can detect the execution patterns associated with ClickFix-delivered malware.
- Enable MFA on financial accounts: Multi-factor authentication limits the damage from stolen credentials.
- Monitor for unusual login activity: Alert on logins from new devices, unusual geographic locations, or off-hours access.
- Browser isolation: Consider browser isolation technology for users who regularly access sensitive financial portals.