Introduction
A sophisticated financial fraud operation is currently targeting the Mexican banking sector, specifically customers of major banks, fintechs, payment processors, and cryptocurrency exchanges. Tracked by Elastic Security Labs as REF6045, this campaign marks a dangerous evolution in social engineering: the weaponization of "ClickFix" techniques.
Unlike traditional phishing relying on malicious attachments, this campaign deceives users into believing they are solving a CAPTCHA verification challenge. In reality, they are tricked into copying and executing a malicious PowerShell command that installs the SCMBANKER toolkit. For defenders, the urgency is high: this attack bypasses perimeter email filters by relying on user interaction and trust in standard web interfaces. If your organization operates in the financial sector or services Latin American markets, you need to hunt for this activity immediately.
Technical Analysis
Threat Overview
- Threat Actor/Cluster: REF6045 (Attributed to a banking fraud operation)
- Malware/Toolset: SCMBANKER (PowerShell Toolkit)
- Target Geography: Mexico
- Target Vertical: Banking, Fintech, Payment Processors, Cryptocurrency
The Attack Chain: ClickFix Mechanics
The REF6045 campaign utilizes a "ClickFix" lure. The attack flow typically follows this sequence:
- Initial Access: The victim visits a compromised or malicious website hosting the lure. This is often facilitated through SEO poisoning or malvertising.
- The Lure: A fake browser pop-up or overlay appears, mimicking a legitimate CAPTCHA verification (e.g., "Verify you are not a robot").
- Social Engineering: The interface instructs the user to "Press Windows + R" or open a terminal and paste a provided command to "verify" their browser or connection.
- Execution: The user executes the provided command, which is a PowerShell one-liner.
- Payload Deployment: The PowerShell command reaches out to a remote server to download and execute the SCMBANKER toolkit.
- Objective: The toolkit facilitates banking fraud, likely via credential theft, session hijacking, or bypassing multi-factor authentication (MFA) mechanisms specific to banking portals.
Affected Components
- Platform: Windows (PowerShell)
- Vector: Social Engineering (Manual Execution)
- Exploitation Status: Active in-the-wild exploitation confirmed.
Detection & Response
SIGMA Rules
The following Sigma rules are designed to detect the behavioral indicators of a ClickFix attack and the subsequent execution of the SCMBANKER PowerShell toolkit. Focus heavily on PowerShell executions spawned by user-initiated processes (like explorer.exe or cmd.exe) with specific obfuscation flags.
---
title: Potential ClickFix Activity - PowerShell via Cmd/Explorer
id: 8f4a2c1d-6e5f-4a9b-8c3d-2e1f4a5b6c7d
status: experimental
description: Detects suspicious PowerShell execution spawned by cmd.exe or explorer.exe, characteristic of ClickFix "copy-paste" lures. References REF6045.
references:
- https://securityarsenal.com/intel/incident-response
author: Security Arsenal
date: 2026/07/08
tags:
- attack.execution
- attack.t1059.001
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\explorer.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-enc' # Encoded commands are common in ClickFix lures
- '-w hidden' # Attempts to hide the window
- 'iex' # Invoke-Expression
condition: selection
falsepositives:
- Legitimate administrative scripts run via cmd
- Developer terminal usage
level: high
---
title: SCMBANKER Indicator - Suspicious PowerShell Clipboard Invocations
id: 9b5d3e2f-7f6a-5b0c-9d4e-3f2a5b6c7d8e
status: experimental
description: Detects PowerShell scripts attempting to access the clipboard, a technique sometimes used in multi-stage lures to verify execution or fetch further payloads.
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/07/08
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Get-Clipboard'
- 'cb'
condition: selection
falsepositives:
- Legitimate scripts utilizing clipboard data
level: medium
KQL (Microsoft Sentinel / Defender)
Use this KQL query to hunt for instances where users might have been tricked into running the ClickFix payload. This looks for the specific combination of a shell spawning PowerShell with obfuscation flags typical of the SCMBANKER lure.
// Hunt for ClickFix / SCMBANKER related PowerShell activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-enc", "-w hidden", "-nop", "-noni")
| where InitiatingProcessFileName in~ ("cmd.exe", "explorer.exe", "browser_broker.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc
Velociraptor VQL
This Velociraptor hunt artifact scans for active PowerShell processes that exhibit the "ClickFix" profile (hidden windows, encoded commands) and checks for recent PowerShell script execution logs that might indicate the manual execution of the SCMBANKER payload.
-- Hunt for SCMBANKER ClickFix Process Artifacts
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "powershell"
AND (CommandLine =~ "-w hidden" OR CommandLine =~ "-enc" OR CommandLine =~ "iex")
Remediation Script (PowerShell)
This script aids in the identification and containment of potential SCMBANKER infections. It kills suspicious PowerShell processes matching the ClickFix profile and checks for common persistence mechanisms used by banking trojans.
# SCMBANKER / ClickFix Response Script
# Run as Administrator
Write-Host "[+] Initiating SCMBANKER (REF6045) containment checks..." -ForegroundColor Cyan
# 1. Identify and Suspend Suspicious PowerShell Processes
$suspiciousProcesses = Get-Process | Where-Object {
$_.ProcessName -match "powershell" -and
$_.MainWindowHandle -eq 0 -and # No main window (hidden)
$_.StartTime -gt (Get-Date).AddHours(24) # Started recently
}
if ($suspiciousProcesses) {
Write-Host "[!] Found " $suspiciousProcesses.Count " suspicious hidden PowerShell processes." -ForegroundColor Red
foreach ($proc in $suspiciousProcesses) {
try {
Write-Host "[+] Terminating PID:" $proc.Id "CommandLine:" (Get-CimInstance Win32_Process -Filter "ProcessId = $($proc.Id)").CommandLine
Stop-Process -Id $proc.Id -Force
} catch {
Write-Host "[-] Failed to terminate process " $proc.Id -ForegroundColor Yellow
}
}
} else {
Write-Host "[+] No suspicious hidden PowerShell processes detected." -ForegroundColor Green
}
# 2. Check for persistence in Startup folders (Common for banking malware)
$startupPaths = @(
"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
"$env:PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\Startup"
)
Write-Host "[+] Scanning Startup folders for suspicious scripts..."
foreach ($path in $startupPaths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Filter *.ps* | ForEach-Object {
Write-Host "[!] Found PowerShell script in Startup:" $_.FullName -ForegroundColor Yellow
}
}
}
Write-Host "[+] Remediation script completed." -ForegroundColor Cyan
Remediation
-
User Education & Awareness: This is the primary control. Immediately alert your user base—especially finance teams—about the ClickFix technique. Emphasize that legitimate "CAPTCHA" tests never require opening a terminal or running commands.
-
Application Control (ASR Rules):
- Enable the Attack Surface Reduction (ASR) rule: "Block all Office applications from creating child processes." (While this is Office-specific, reducing macro/script vectors is vital).
- Strictly constrain PowerShell usage for standard business users via AppLocker or WDAC. Only signed scripts or specific constrained language modes should be permitted.
-
Network Controls: Block access to known C2 infrastructure associated with REF6045 (consult your threat intelligence feed provider). If specific IOCs for SCMBANKER emerge, update your firewall and web proxy blocklists immediately.
-
Endpoint Isolation: If a host is confirmed to be infected via SCMBANKER, isolate it from the network immediately to prevent the exfiltration of banking credentials or session tokens.
-
Investigate Lateral Movement: SCMBANKER is a toolkit. Upon detecting an infection, assume the attacker may have moved laterally. Audit Active Directory logs for unusual service additions or changes to financial user permissions.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.