A recent cyber campaign has been exploiting fake Google verification pages to deploy malware aimed at customers of Mexican banks. This operation, known as REF6045, relies on a technique called ClickFix to initiate the infection process, which is specifically designed for fraudulent activities rather than mere surveillance.
How the ClickFix Campaign Operates
The ClickFix campaign begins with a victim being directed to execute a command that triggers the malware infection chain. This allows cybercriminals to monitor banking transactions, manipulate session data, and direct victims to scams and phishing sites. The human-operated attack is distinguished by its ability to escalate threats based on real-time decisions.
The malware, identified as SCMBANKER, includes components dating back to October 2025, with active infections detected in mid-2026. Its targets are broad, encompassing retail banks, fintech services, and even cryptocurrency platforms within Mexico.
Technical Insights from Elastic Security
Elastic Security Labs discovered the campaign and provided detailed insights into its workings. The attackers use false verification pages to implant the malware, transforming affected devices into channels for financial exploitation. The campaign’s quick cash-out strategy is activated as soon as a target accesses a financial service.
Notably, the campaign exhibits a high degree of operator control post-infection. This allows attackers to capture screenshots, redirect browsers to phishing sites, and even lock screens with fake alerts. The use of large language models in the malware’s code has made it easier for criminals to deploy complex features without advanced programming skills.
Implications and Defense Strategies
The infection process begins with fake CAPTCHA pages masquerading as security checks, which then deploy a script into the Windows command shell. This script leads to a bogus Windows Update screen, prompting victims to grant administrative access. Subsequent activity involves downloading additional malware components.
The infrastructure supporting these attacks shows signs of poor security, with open directories and exposed web-root archives. For cybersecurity professionals, monitoring suspicious PowerShell activities and abnormal Windows Run executions is crucial to preventing fraud. User education is also vital, as the attack relies on user interaction with deceptive prompts.
Conclusion and Future Outlook
With SCMBANKER in place, the malware scans for banking-related windows and alerts operators when valuable sessions are detected. This enables actions such as phishing redirects, vishing overlays, and clipboard hijacking. The campaign’s effectiveness lies in its combination of social engineering and real-time decision-making, turning simple commands into significant financial thefts.
Elastic’s recommendations emphasize the importance of monitoring for unusual script interpreter activity and remote access abuse to combat such threats. Despite the malware’s rudimentary nature, its ability to cause substantial harm underscores the need for robust cybersecurity measures and continued vigilance in the face of evolving tactics.
