What happened
Researchers at Elastic Security Labs have uncovered a banking malware campaign, tracked as REF6045, that is actively targeting customers of Mexican banks, fintech companies, payment processors, and cryptocurrency exchanges. The operation uses ClickFix social engineering techniques to trick victims into infecting their own devices.
According to researchers Jia Yu Chan and Salim Bitam, victims are presented with a fake CAPTCHA page that mimics a legitimate security check. After completing the challenge, they are instructed to copy and paste a malicious command into the Windows Run dialog, launching a multi-stage infection process.
The attack installs a PowerShell-based toolkit called SCMBANKER. To distract users while the malware downloads additional components, attackers display a fake Windows Update screen. Once installed, the malware establishes persistence, monitors banking sessions, captures screenshots, logs keystrokes, manipulates clipboard contents, redirects browsers to phishing sites, and can deploy commercial remote access software for complete control of an infected device.
Elastic also found evidence suggesting the attackers used a large language model (LLM) to help develop portions of the malware, although the researchers noted the code quality remains inconsistent and contains signs of AI-generated artifacts.
Who is affected
The campaign is primarily aimed at individuals and organizations that use financial services within Mexico, including customers of banks, fintech providers, payment processors, and cryptocurrency exchanges.
While the malware is geographically focused, the techniques used—including ClickFix lures, fake CAPTCHA pages, and PowerShell-based malware delivery—are increasingly common and can be adapted to target organizations in other regions. Security teams should expect similar tactics to appear in future financially motivated campaigns.
Why CISOs should care
This campaign demonstrates how attackers continue to combine convincing social engineering with legitimate Windows tools to bypass traditional defenses. Instead of exploiting software vulnerabilities, the attackers rely on users to execute malicious commands themselves.
The operation also highlights how threat actors are incorporating AI-assisted development to accelerate malware creation. Although SCMBANKER itself is relatively unsophisticated, its ability to monitor banking activity, hijack transactions, and enable hands-on attacks makes it a significant financial threat.
Organizations should also recognize that fake CAPTCHA and ClickFix attacks are becoming a popular initial access technique across multiple threat groups, making user awareness and endpoint visibility increasingly important.
3 practical actions
- Train employees to recognize fake CAPTCHA pages and never copy or execute commands provided by websites.
- Monitor and restrict PowerShell, Windows Run dialog usage, and other native administrative tools that attackers commonly abuse.
- Deploy endpoint detection and response (EDR) capabilities that can identify unusual PowerShell activity, persistence mechanisms, clipboard manipulation, and unauthorized remote access tools.

