ClickFix Campaign Uses Fake Google Verification Page to Target Mexican Bank Customers


Elastic Security Labs has detailed a Mexican banking fraud campaign that uses fake verification pages to infect Windows users with a PowerShell toolkit called SCMBANKER.

The operation, tracked as REF6045, uses a ClickFix-style lure that tricks victims into copying and running a command from the Windows Run dialog. Once the command executes, the malware installs a toolkit that lets operators monitor banking activity, push phishing pages, manipulate the clipboard, deploy remote access software, and guide victims into phone-based fraud.

The Elastic Security Labs report says the campaign targets customers of Mexican banks, fintech services, payment processors, cryptocurrency exchanges, investment platforms, SAT services, and telecom providers.

REF6045 turns ClickFix into banking fraud

ClickFix attacks depend on social engineering rather than a software exploit. The victim sees a fake verification or CAPTCHA page, follows keyboard instructions, and manually runs a command that starts the infection chain.

In this campaign, the page uses Spanish-language verification wording and includes a fake Google security message. Elastic said the command uses decoy text such as “Google Verificación Segura” and fetches a first-stage payload that looks like a text file but works as a Windows batch script.

The technique matters because it pushes the victim outside normal browser protections. A browser may never download an obvious executable because the user pastes a command into Windows instead.

ItemDetails
Campaign nameREF6045
Malware toolkitSCMBANKER
Main target regionMexico
Primary lureFake CAPTCHA or verification page
Main delivery methodClickFix command copied to the clipboard
Main goalOperator-assisted banking fraud

How the fake verification page works

The infection starts when a victim lands on a fake CAPTCHA or verification page. Elastic observed lures that first showed an image challenge, then instructed the victim to open the Windows Run dialog and paste a command.

The malicious page uses browser clipboard behavior to prepare the command. The MDN documentation for navigator.clipboard.writeText() explains that the method writes text to the system clipboard from a secure browser context.

In REF6045, that copied text pulls a first-stage script from attacker infrastructure and pipes it into cmd.exe. The user thinks they completed a security check, but they actually launched the malware installer.

  • The victim sees a fake CAPTCHA or verification prompt.
  • The page copies a command to the clipboard.
  • The victim opens Windows Run.
  • The victim pastes and executes the command.
  • The first-stage script starts the SCMBANKER installation chain.

The first-stage script hides behind a fake update screen

After execution, the batch script opens Microsoft Edge in kiosk mode and displays a fake Windows Update screen. This gives the malware time to download and install the rest of the toolkit while the victim waits.

The script also pressures the user for administrator approval. Elastic said it repeatedly relaunches itself with elevated privileges until the victim accepts the UAC prompt.

That combination creates a simple but effective flow: the victim believes the system is updating, while the malware gains the permissions and time it needs to complete installation.

SCMBANKER downloads its toolkit with bitsadmin

Once elevated, SCMBANKER uses Windows tools to retrieve additional scripts and binaries. Elastic observed the malware pulling files into the public user directory.

One key utility in the chain is bitsadmin. Microsoft’s bitsadmin documentation describes it as a command-line tool for creating download or upload jobs and monitoring their progress.

Attackers often abuse trusted administrative tools because they already exist on Windows systems. The MITRE ATT&CK BITS Jobs technique explains that adversaries can use BITS to download, execute, and clean up malicious code.

ComponentReported purpose
validation.txtFirst-stage batch payload
run.vbsMaster launcher for the toolkit
cliente.ps1Command-and-control beacon
jujuzkt.ps1Banking activity monitor
jujuzkt2.ps1Browser redirect module
clip.ps1 and clip2.ps1Clipboard hijacking modules
avs.ps1Remote Utilities downloader

Persistence uses Run keys and startup folders

SCMBANKER does not disappear after the first command runs. Elastic said the toolkit installs persistence through a registry Run key and startup folder entries that relaunch run.vbs when the user signs in.

The MITRE ATT&CK Registry Run Keys and Startup Folder technique explains that attackers can place programs in these locations so they execute automatically during logon.

SCMBANKER also uses a RunOnce marker to write an infection timestamp. That gives operators a way to track when the victim machine first joined the campaign.

A human operator watches for banking activity

REF6045 stands out because it does not fully automate the fraud workflow. Elastic described it as an operator-assisted campaign where a person watches infected machines and decides when to escalate.

The banking monitor checks visible window titles for bank names and financial-service keywords. When it finds a match, it alerts the operator and starts a screenshot workflow.

This lets the attacker wait until a victim opens a useful session. The operator can then choose whether to collect screenshots, redirect the browser, push a vishing overlay, replace clipboard data, or install remote access software.

The toolkit can redirect browsers and launch phishing pages

SCMBANKER includes a browser redirect module that only activates against victims selected by the operator. This makes the fraud more targeted than a simple mass phishing page.

When the victim’s public IP appears in the operator’s targeting list, the redirect module watches for configured banking or financial windows. It can then place a phishing URL on the clipboard, focus the browser address bar, paste the URL, and load the fake page.

Elastic observed a phishing destination tied to BanBajio branding. The phishing page also collected browser and device details and sent the profile through Telegram, giving the operator more context for live follow-up.

Clipboard hijacking focuses on payment redirection

SCMBANKER’s clipboard modules focus on financial data rather than broad credential theft. Elastic said one module checks for 18-digit CLABE account numbers, while another checks for 16-digit card numbers.

The MITRE ATT&CK Clipboard Data technique describes how attackers can collect or monitor clipboard contents because users often copy sensitive data during normal activity.

In this campaign, the clipboard logic can replace copied account or card values with attacker-controlled values. That creates a direct path to payment diversion if the victim pastes the altered data into a banking portal.

Vishing overlays push victims toward live scams

The toolkit also includes a vishing engine. When activated, it can lock the screen behind a fake bank warning and push the victim to call a number or interact with the operator.

Elastic described two overlay behaviors. One creates a topmost window that keeps returning to the foreground. Another creates a softer lock screen that resists closing, moving, or minimizing.

This matters because banking fraud often works best when malware and social engineering support each other. The malware gives the operator context, while the phone call gives the operator a way to manipulate the victim in real time.

Remote access gives attackers full control

For higher-value victims, REF6045 can deploy Remote Utilities Host, a legitimate remote-administration product that the attacker configures for silent callback access.

MITRE’s Remote Access Software technique explains that adversaries may abuse legitimate remote tools to control compromised systems while blending with normal administrative software.

Elastic said SCMBANKER uses scripts to download the installer, gain administrator approval, install it silently, hide the implant directory, and remove the normal uninstall entry. That gives the operator hands-on control when screenshots, overlays, and redirects are not enough.

AI-assisted coding artifacts appear in the toolkit

Elastic also found signs that large language models helped write the malware. The researchers pointed to descriptive function names, heavy explanatory comments, document-like section dividers, leftover artifacts, and Spanish prompting patterns.

The report says the toolkit was not generated autonomously. Instead, the operator appears to have used a model to build much of the functionality and then applied manual obfuscation afterward.

That detail matters because SCMBANKER is not especially polished. Even so, it gives attackers a working fraud platform with screenshots, redirects, clipboard theft, vishing overlays, updates, keylogging remnants, and remote access installation.

Attacker mistakes exposed the operation

Elastic said the operation suffered from poor server hygiene. Researchers found open directories, an exposed web-root archive, and an unauthenticated editor tied to live targeting files.

Those mistakes helped reveal the toolkit, infrastructure, and targeting logic. They also showed that the same ClickFix delivery pattern appeared across multiple hosts.

REF6045 SCMBANKER execution chain from ClickFix lure (Source – Elastic)

The Elastic analysis says the shared delivery patterns, overlapping PowerShell files, and SCM-branded panels suggest kit reuse or related deployments by the same operator set.

Indicators of compromise

Elastic published several indicators tied to the campaign. Defenders should treat them as starting points for hunting, then combine them with behavior-based detection because infrastructure and hashes can change quickly.

TypeIndicatorDescription
IPv468.211.161[.]46ClickFix and file host
IPv4216.250.112[.]100ClickFix and file host
IPv4185.242.246[.]169REF6045 C2
Domainratonvaquero2026[.]onlineClickFix and file host
Domainmonteviral2026.duckdns[.]orgClickFix and file host
Domainosogransd[.]onlineClickFix and file host
Domainnegratomasa2026[.]onlineREF6045 C2
Domaingestionmontelavaria2026[.]onlineREF6045 C2
Domainssinvestigaciones[.]comClickFix post-CAPTCHA tracking endpoint
Domainbancaporinternetbbmx[.]onlineBanBajio phishing page
SHA-256554f1aefeb698995501751328c2f9fe93f02a680679fba3dd15f1ed93d46bf1bvalidation.txt first-stage batch payload
SHA-256ff3555154e91e42490cc722b6c7f3c4c91654b7ef53a35d0719ffb89accf1b27run.vbs master launcher
SHA-256526287a40aad1b218228cdd1f459ad3b93f858585048347644d597c6ab19515acliente.ps1 C2 beacon
SHA-256685d29ce8a550feb3a9e1d1c5926ec5e927615cf34aab62c108a812a1eb6737cjujuzkt.ps1 banking activity monitor
SHA-256eea08fbf3720d638af1d313d3ce369708b77d7891379d5c5871dd7f36667ed0cclip.ps1 CLABE clipboard hijacker
SHA-25670140aa236d630a7d5ed08be3dafcccea9a8b0eec6dadf8c1cf1b96d8f608609clip2.ps1 card-number clipboard hijacker
SHA-25632d981b3e7c36aa7030cfd9ee412bff742e00b36c39c80634b2681f89de4a487hosts.msi Remote Utilities installer

What defenders should monitor

Security teams should look for Windows Run activity that launches command shells or scripts after a browser session visits a suspicious verification page.

They should also monitor suspicious bitsadmin jobs, PowerShell scripts launched from public directories, registry Run key changes, and unexpected Remote Utilities installations.

JavaScript code sending victim device and location data (Source – Elastic)

The Microsoft bitsadmin reference can help defenders understand expected tool behavior, while the MITRE BITS Jobs page explains why this Windows feature often appears in intrusion chains.

  1. Block or warn on clipboard-to-Windows-Run command patterns.
  2. Alert on curl output piped directly into cmd.exe.
  3. Monitor bitsadmin downloads into public user directories.
  4. Watch for suspicious PowerShell scripts launched by VBS files.
  5. Detect new registry Run key values tied to hidden scripts.
  6. Investigate browser redirects to newly registered banking domains.
  7. Alert on unexpected Remote Utilities Host installation or configuration changes.

Users should never run commands from CAPTCHA pages

The user-facing advice is simple. A real Google verification page, CAPTCHA, or bank security check will not ask users to open Windows Run, paste a command, and press Enter.

Users who see this instruction should close the page immediately, avoid copying anything from it, and report the link to their bank or IT team. They should also run a security scan if they already followed the steps.

The Clipboard API has legitimate uses, but ClickFix campaigns abuse clipboard writes to preload commands that users later execute themselves.

Why Mexican financial services are the focus

SCMBANKER focuses heavily on Mexico’s financial ecosystem. That includes retail banks, business banking portals, fintechs, payment processors, cryptocurrency services, investment platforms, SAT-related services, and telecom providers.

This broad targeting suggests the operators want multiple paths to money movement, not just banking credentials. Clipboard hijacking, phishing redirects, vishing overlays, and remote access all support that goal.

The MITRE Clipboard Data technique is especially relevant here because replacing CLABE or card numbers can turn an ordinary copy-and-paste action into a payment redirection attempt.

SCMBANKER shows how crude malware can still cause damage

Elastic described the toolkit as messy and full of copy-paste logic, but that does not make it harmless. The operation already has the components needed to track victims, identify financial activity, and escalate against valuable targets.

The campaign also shows how fraud operators can use AI-assisted scripting to build practical malware faster, even without high-end engineering skills.

The biggest risk comes from the live operator model. Once SCMBANKER flags a useful banking session, the attacker can choose the fraud method that best fits the victim in front of them.

Detection needs behavior, not just IoCs

Hashes and domains help during early response, but REF6045-style campaigns can change infrastructure quickly. Defenders need detection logic that follows the behavior.

Useful signals include fake verification pages, Windows Run execution, curl piped into cmd.exe, downloads through bitsadmin, VBS launchers, PowerShell modules in unusual directories, Run key persistence, screenshot capture, clipboard replacement, and remote access software abuse.

The MITRE persistence mapping and remote access software mapping both fit the REF6045 workflow and help defenders translate the campaign into practical detection coverage.

FAQ

What is REF6045?

REF6045 is the name Elastic Security Labs uses for an operator-assisted banking fraud operation targeting customers in Mexico’s financial ecosystem through ClickFix-style fake verification pages.

What is SCMBANKER?

SCMBANKER is a PowerShell-based malware toolkit used in the REF6045 campaign. It can monitor banking sessions, capture screenshots, redirect browsers, manipulate clipboard data, show vishing overlays, and deploy remote access software.

How does the fake Google verification page infect users?

The fake verification page tricks victims into opening Windows Run, pasting a command copied to the clipboard, and executing it. That command downloads and runs the first-stage SCMBANKER payload.

Which users are targeted by the campaign?

The campaign focuses on Mexican financial users, including customers of banks, business banking portals, fintech services, payment processors, cryptocurrency exchanges, investment platforms, SAT services, and telecom providers.

How can users avoid ClickFix infections?

Users should never run commands from CAPTCHA, Google verification, browser warning, or bank security pages. Real verification pages do not ask users to open Windows Run and paste commands.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages