Elastic Security Labs has documented REF6045, an active campaign deploying SCMBANKER — a PowerShell banking fraud toolkit targeting customers of Mexican banks, fintech firms, payment processors, and cryptocurrency exchanges — through fake Spanish-language CAPTCHA pages that trick victims into pasting a malicious command into their own Windows Run dialog. Source code analysis of SCMBANKER revealed code generation patterns consistent with heavy reliance on artificial intelligence, making REF6045 a documented case of a financially motivated threat actor using AI to accelerate banking malware development for a Spanish-language target market.
How SCMBANKER Gives Operators Live Control Over Mexican Banking Sessions
SCMBANKER is not an automated banking trojan in the conventional sense. Rather than executing predefined fraud steps autonomously, the toolkit equips a human operator with real-time visibility and control over each victim session. When an operator observes a victim opening a banking portal through the compromised system, the operator can trigger a series of actions from a central control panel.
The capabilities available to the operator include locking the victim’s screen behind a fake bank security warning, redirecting the victim’s browser to an attacker-controlled page, and intercepting live phone interactions. The most direct fraud mechanism is clipboard manipulation: SCMBANKER polls the system clipboard every 300 milliseconds to detect when a victim has copied a CLABE bank account number or card number for a transfer. When it detects a copied value, it replaces the clipboard contents with an attacker-controlled account number, ensuring that the transfer the victim pastes into the payment form goes to the attacker’s account rather than the intended recipient.
The Fake Spanish-Language CAPTCHA Delivery Chain That Brings SCMBANKER to Victims
REF6045 delivers SCMBANKER through ClickFix — a delivery technique that presents the victim with a fake CAPTCHA challenge in their native language and instructs them to paste a command into the Windows Run dialog to “verify” their humanity. In REF6045’s implementation, the fake CAPTCHA pages appear in Spanish, matching the target market of Mexican banking customers.
The ClickFix delivery mechanism sidesteps standard email security scanning and endpoint antivirus detection by making the victim perform the initial execution themselves. The victim copies the malicious PowerShell command from the fake CAPTCHA page and pastes it into the Windows Run dialog — the initial execution originates from a legitimate Windows process following user input, not from a suspicious attachment or downloaded executable. Because no file is written to disk at the delivery stage, signature-based detection has limited visibility into the installation chain.
What SCMBANKER’s 300-Millisecond Clipboard Polling Does to Live CLABE Transfers
The 300-millisecond clipboard polling interval is fast enough to intercept a copied CLABE number before the victim pastes it into a payment form. The CLABE standard — an 18-digit Mexican bank account identifier used for wire transfers — is a predictable format that SCMBANKER can identify reliably when it appears in the clipboard. The replacement is silent: the victim sees nothing change on screen when the clipboard content is swapped. They paste into the transfer form and see the account number field populate normally, unaware that the number they pasted is the attacker’s account, not their intended recipient’s.
What SCMBANKER’s Source Code Reveals About AI-Assisted Malware Development in REF6045
Elastic’s analysis of SCMBANKER’s source code found code generation patterns with “heavy reliance on artificial intelligence” — consistent with LLM-generated code that was prompted in Spanish. The toolkit’s implementation reflects a workflow where the author described the desired capability in Spanish to an AI system and incorporated the generated code, rather than writing the malware in a traditional development environment. Specific code hallmarks identified by Elastic’s researchers point to LLM generation rather than human-authored code style.
Confirmed Active Victims and REF6045’s Operational Status at Time of Disclosure
Elastic’s disclosure is not based on analysis of a dormant or theoretical toolkit. The researchers’ access to exposed operator panels revealed labeled and tagged victim machines with active session tracking, confirming that SCMBANKER is deployed in an ongoing campaign with real victims rather than serving as a proof-of-concept demonstration. The live victim counter visible in the operator panels indicates active campaign operations at the time of REF6045’s public disclosure.
What the Confirmed Victim Evidence Tells Security Teams About REF6045 Scope
The presence of confirmed victims in operator panels at disclosure time means REF6045 represents an active threat to any organization with employees or customers operating in the Mexican banking ecosystem — including multinational companies with Mexican operations, fintech platforms serving Mexican payment rails, and cryptocurrency exchanges with Mexican user bases. The operator-guided model also means the campaign can adapt in real time to the specific banking platform each victim uses, without requiring the attacker to pre-build integrations for every targeted institution.
