ClickFix Campaign Uses Fake Google Verification Page to Infect Mexican Bank Customers

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A fake Google verification page is being used to infect customers of Mexican banks with a malware toolkit built for fraud, not just espionage.

The campaign relies on a familiar ClickFix trick, where a victim is pushed to copy and run a command that quietly starts the infection chain.

From there, the attackers can watch for banking activity, interfere with sessions, and steer victims toward phone-based scams and phishing pages.

The operation, tracked as REF6045, is notable because it is guided by a human operator who decides when to escalate against each victim.

The malware family, named SCMBANKER, has components that date back to at least October 2025, while Elastic telemetry first surfaced one of the active infections in June 2026.

Its focus is broad inside Mexico’s financial ecosystem, spanning retail banks, business banking portals, fintech services, payment processors, cryptocurrency exchanges, investment platforms, SAT services, and telecom providers.

Researchers at Elastic Security Labs identified the campaign and described it as a ClickFix delivery chain adapted for operator-assisted banking fraud. 

Elastic said in a report shared with Cyber Security News (CSN) that the attackers use fake verification pages to plant the toolkit, then turn infected machines into a live feed for financial abuse.

The result is a campaign that may look crude on the surface but is built to cash out quickly once a target logs in to the right service.

REF6045 SCMBANKER execution chain from ClickFix lure (Source – Elastic)

What makes the threat stand out is how much control the operators keep after the initial compromise.

They can capture screenshots, redirect a browser to phishing pages, replace payment details copied to the clipboard, lock the screen behind fake warnings, and even deploy a remote access tool for full hands-on control.

Elastic also found signs that large language models helped write much of the code, lowering the barrier for criminals who want useful features without deep development skill.

ClickFix Campaign Uses Fake Google Verification Page

The infection starts on fake CAPTCHA or verification pages dressed up as a security check, including prompts in Spanish and fake Google security wording.

After the challenge, the page copies a command that pulls a first-stage script and pipes it into the Windows command shell.

That script opens a fake Windows Update screen, pressures the victim for administrator approval, traps the mouse, and then uses bitsadmin to download the rest of the toolkit into the public user directory.

Fake Windows Update screen (Source – Elastic)

Elastic found several related delivery sites and file servers using the same pattern, which suggests reuse of the same kit across multiple deployments.

The exposed infrastructure also showed poor security on the attacker side, including open directories, a leaked web root archive, and an unauthenticated editor tied to live targeting files.

For defenders, that means suspicious PowerShell activity, bitsadmin downloads, odd use of Windows Run, and scripts launched from unusual directories deserve immediate attention before the fraud stage begins.

User education also matters, because the attack succeeds only when a victim trusts the fake prompt and manually launches it.

Fraud Workflow After Infection

Once SCMBANKER is established, it checks open window titles for bank names and other financial services, then alerts the operator when a useful session appears.

That visibility lets the actor decide whether to trigger screenshots, a phishing redirect, a vishing overlay that pushes the victim to call for help, or clipboard hijacking aimed at account and card data.

JavaScript code sending victim device and location data (Source – Elastic)

In higher-value cases, the toolkit can silently install a commercial remote access tool so the attacker can work directly on the victim machine.

The campaign matters because it combines simple social engineering with real-time decision making, which can turn a single copied command into stolen payments or a full account takeover.

Elastic’s prevention guidance points to monitoring suspicious Run key changes, curl downloads piped into cmd, and DNS lookups tied to suspicious domains, alongside broader detection for script interpreters and remote access abuse.

Even though the malware is messy and full of copy-paste code, the live victim management seen in the operation shows it is already causing real harm.

Indicators of compromise (IoCs):-

Type Indicator Description
IPv4 68.211.161[.]46  ClickFix / file host 
IPv4 216.250.112[.]100  ClickFix / file host 
IPv4 185.242.246[.]169  REF6045 C2 
Domain ratonvaquero2026[.]online  ClickFix / file host 
Domain monteviral2026.duckdns[.]org  ClickFix / file host 
Domain osogransd[.]online  ClickFix / file host 
Domain negratomasa2026[.]online  REF6045 C2 
Domain gestionmontelavaria2026[.]online  REF6045 C2 
Domain ssinvestigaciones[.]com  ClickFix post-CAPTCHA tracking endpoint 
Domain bancaporinternetbbmx[.]online  BanBajio phishing page 
SHA-256 b30cb0aa977aacdab94d2ef503186c8f0b2fc10d7cf0d7c7c0ada70c127dc7e8  zkt.zip exposed web-root archive 
SHA-256 554f1aefeb698995501751328c2f9fe93f02a680679fba3dd15f1ed93d46bf1b  validation.txt first-stage batch payload 
SHA-256 ff3555154e91e42490cc722b6c7f3c4c91654b7ef53a35d0719ffb89accf1b27  run.vbs master launcher 
SHA-256 526287a40aad1b218228cdd1f459ad3b93f858585048347644d597c6ab19515a  cliente.ps1 C2 beacon 
SHA-256 685d29ce8a550feb3a9e1d1c5926ec5e927615cf34aab62c108a812a1eb6737c  jujuzkt.ps1 banking activity monitor 
SHA-256 8c87ea94401fa97d3743a87604e088d1a29c7b06cf9673623941a42da68452a6  jujuzkt2.ps1 active browser redirect module 
SHA-256 6dcd7fdd5e088d98d861cbd1cb74a7b83ae5508f4dbb617413bcbe7fbc8a82e2  mensaje1.ps1 vishing dispatcher 
SHA-256 4d9c160ebb44507b11f0e6421f691900284f25b5530a23d9fd50de0ae01663ca  mensaje.ps1 hard-lock vishing overlay 
SHA-256 0315d4a7bc14654ad66d4c2b98920b92ca18cbc231b3ce5fba1fcac70b828e19  mensajeoff.ps1 soft-lock vishing overlay 
SHA-256 5d17645548a44fe39d3cc816ffa3933321c1eb8b08a8f4348e3cd82f25112c81  rotor1.ps1 screenshot module invoker 
SHA-256 566f4bfdfea54129b8528d50cae187a9030e2f2787749add4b0db22ac35ea581  screen2.ps1 screenshot module 
SHA-256 882d582e85d5bb7abbdde791a2d52e3b1bb7dd7f79c20318ce64b74249221fdb  rotor2.ps1 vishing dispatcher rotator 
SHA-256 eea08fbf3720d638af1d313d3ce369708b77d7891379d5c5871dd7f36667ed0c  clip.ps1 CLABE clipboard hijacker 
SHA-256 70140aa236d630a7d5ed08be3dafcccea9a8b0eec6dadf8c1cf1b96d8f608609  clip2.ps1 card-number clipboard hijacker 
SHA-256 6c8ba7127a83431432e85946976c18bb3f3e9bf9def68aae572cd1d9d73604c7  avs.ps1 Remote Utilities downloader 
SHA-256 81a4512db985359ed361755da58a1177b07632b5aee951c68a6ace54f4d0534b  instaler.ps1 Remote Utilities installer launcher 
SHA-256 3d9015429d65276869ceb9c91f10d6474b1098042db75949c49b9f1682c1f3ae  remoto.ps1 Remote Utilities configurator 
SHA-256 5bc85b604eb37ffa1e67c57f4744b55ef876a1ab442e2a2440550ef0922aeec7  correr.ps1 arbitrary PowerShell executor 
SHA-256 30ff24faad80184bb43660a8bd317df99a8d09d31bae3b446aaa876543f2620f  key.ps1 Telegram-backed keylogger 
SHA-256 4b7b35b921d7615b7a82a42c379560d1b0c5a74c81311a269874195ba2744f2d  cursor2.exe invisible-cursor utility 
SHA-256 32d981b3e7c36aa7030cfd9ee412bff742e00b36c39c80634b2681f89de4a487  hosts.msi Remote Utilities installer 
SHA-256 cd7b179dd98848a02b9a1d4ebfeee26cdbb317b4ad53eb50786e18515b0cf804  ini.ps1 delayed launcher 
SHA-256 345e8a90b7b762b065333cd068811d88086d157be713d89bdf200c927645f3d8  remo.ps1 IP-gated launcher 
SHA-256 0ec9b518f84b6bdc0e843b89fa755522ec67db862414ad16bdcaa8c2be25485c  edifhjwe.ps1 self-updater 
SHA-256 26f906a2a4276b1968a8ce956a7b342aa9bc26f60d32c14668223877f569fb3f  rotor.ps1 keylogger rotator 
SHA-256 13bfd0f695cea1d6ae570a7ca056ffe930467be73a26f29f95209618f383bd2d  4.bat early version of run.vbs 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.