Ethical Hacking News
SCMBANKER malware lures have been discovered targeting Mexican banks, fintech, payment processors, and cryptocurrency exchanges, using AI-powered security tools to create a complex toolkit with capabilities for banking-session monitoring, vishing overlays, phishing redirects, clipboard manipulation, and remote utilities installation.
The recent discovery of SCMBANKER malware targets Mexican banks, fintech, payment processors, and cryptocurrency exchanges. The malware utilizes ClickFix lures and infects victims through fake CAPTCHA verification pages. SCMBANKER uses AI-powered security tools to develop a significant portion of the tooling, resulting in various capabilities such as banking-session monitoring and vishing overlays. The malware is specifically designed to target Mexico's financial ecosystem, with evidence pointing to the use of AI-powered tools. SCMBANKER has the potential to compromise sensitive financial information and disrupt banking operations. The threat actor's operational security lapses allowed researchers to retrieve a ZIP archive containing the operation's full web root directory. The malware sets up persistence using the Windows Startup folder and a Registry Run key, and forces a reboot with the shutdown /r /t 02 command and switches. SCMBANKER includes various modules for command-and-control, banking activity monitoring, vishing, and clipboard hijack to facilitate further attacks.
The recent discovery of SCMBANKER malware, a sophisticated banking fraudulent operation targeting Mexican banks, fintech, payment processors, and cryptocurrency exchanges, has raised significant concerns among cybersecurity experts. The malware, which utilizes ClickFix lures, has been found to infect victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs the SCMBANKER PowerShell toolkit.
The threat actor behind this operation has demonstrated a clear understanding of AI-powered security tools, using large language models to develop a significant portion of the tooling. This approach has resulted in a wide range of capabilities, including banking-session monitoring, screenshot capture, vishing overlays, phishing redirects, clipboard manipulation, and Remote Utilities installation.
The SCMBANKER malware is specifically designed to target Mexico's financial ecosystem, with evidence pointing to the use of AI-powered tools to develop a large chunk of the toolkit. The malware supports various functionalities, including the deployment of commercial remote-access tools for full takeover operations.
According to security researchers Jia Yu Chan and Salim Bitam, "Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard." This highlights the potential for SCMBANKER malware to compromise sensitive financial information and disrupt banking operations.
The threat actor's use of operational security lapses has allowed Elastic Security Labs to retrieve a ZIP archive containing the operation's full web root directory from an open directory located at "68.211.161[.]46." This discovery provides valuable insights into the tactics, techniques, and procedures (TTPs) employed by the threat actor.
The fake CAPTCHA check that disguises itself as a security verification page urges potential victims to solve a Google reCAPTCHA-like challenge to identify images containing a fire hydrant. Once the step is complete, they are presented with instructions to copy and paste a malicious command into the Windows Run dialog. This triggers the execution of a batch script that installs the malware through a multi-stage process.
The batch script immediately launches Microsoft Edge in kiosk mode pointing to fakeupdate[.]net, a well-known pentesting/red team site that renders a fake Windows Update screen. This distraction buys time for the script to fully execute. The script checks if it's running as admin, and if not, launches a Windows User Account Control (UAC) prompt every 20 seconds, nudging the victim towards clicking "Yes" on the consent dialog.
As soon as it gains elevated privileges, SCMBANKER malware locks mouse movement. This behavior, combined with the fake Windows update screen, forces the victim to stay, giving the malware ample time to download the complete toolset in the background using the bitsadmin tool from the same directory.
After SCMBANKER components are downloaded onto the compromised host, it sets up persistence using the Windows Startup folder and a Registry Run key. The malware then programmatically sends an F11 keypress event to exit full screen and initiate a "Ctrl+W" keypress sequence to close the fake Windows update tab.
However, this approach only works in a standard full-screen browser window, not in kiosk mode. It then forces a reboot with the shutdown /r /t 02 command and switches. Upon restart, the previous persistence mechanism via the Registry Run key triggers execution of the VBScript file ('run.vbs').
The Visual Basic Script serves as a master launcher to run several modules in parallel. These include edifhjwe.ps1, for toolkit self-update; cliente.ps1, for command-and-control (C2) beacon and implant control; avs.ps1, for downloading the Remote Utilities RAT installer to facilitate hands-on access to a victim's machine.
Other modules include clip.ps1 and clip2.ps1, for clipboard hijack to reroute transactions; correr.ps1, for arbitrary PowerShell execution; ini.ps1, a launcher for "jujuzkt.ps1," a banking activity monitor that checks all visible window titles every second for matches against a list of Mexican financial institutions.
The malware also includes rotor2.ps1, a wrapper for "mensaje1.ps1," a vishing engine that serves fake overlays with security warnings instructing victims to call certain phone numbers. Remo.ps1 is an IP address-gated launcher for "jujuzkt2.ps1," a browser redirector that matches window titles against a list and sends a series of keypress events (Ctrl+L, Ctrl+V, and Enter) to take the victim to the phishing landing page.
One such redirect destination, "'bancaporinternetbbmx[.]online," contains a page-load Telegram notification script that harvests browser, device, and IP address details, and sends the information to a Telegram chat, alerting the operator that a redirected victim has reached the lure for follow-on attacks.
According to security researchers Jia Yu Chan and Salim Bitam, "The scripts show strong signs of AI assistance, most likely by prompting a large language model in Spanish and then applying manual obfuscation afterward." This highlights the threat actor's use of AI-powered tools to create a complex malware toolkit.
"The code has a split personality, with clean, descriptive function names and heavy explanatory comments sitting next to hand-shortened variables and leftover generation artifacts. The placement of instruction-like comments directly above the code they describe suggests the authors have prompted an inline coding assistant such as Copilot or Cursor," Elastic said.
The findings represent the work of a threat actor who has leaned on AI to assemble a crude toolset that's best characterized by copy-paste batch files, shoddy craftsmanship, and operational security lapses. The threat actor keeps victims as passive feeds while watching a live dashboard and engaging only targets worth effort, switching on browser redirects, vishing lockdowns, clipboard swaps, or a full RAT by IP, on demand.
"Crude as it is, SCMBANKER already has real victims," the researchers concluded. "The live victim counter and the labeled, tagged machines on the operator's own panels show that individual people are being actively targeted."
Related Information:
https://www.ethicalhackingnews.com/articles/SCMBANKER-Malware-Lures-A-Threat-to-Mexicos-Financial-Ecosystem-ehn.shtml
https://thehackernews.com/2026/07/scmbanker-malware-uses-clickfix-lures.html
Published: Wed Jul 8 10:53:02 2026 by llama3.2 3B Q4_K_M