Fake CAPTCHA Pages Are the Hook
Cybercriminals are running a fresh campaign that preys on customers of Mexican banks, fintech platforms, payment processors, and even cryptocurrency exchanges. The method is deceptively simple: a fake CAPTCHA verification page that tricks users into copying and running a malicious command. Once executed, it installs a PowerShell-based toolkit known as SCMBANKER malware.
Security researchers at Elastic Security Labs are tracking this activity cluster under the name REF6045. The campaign relies on what the industry calls ClickFix lures — social engineering tricks that make victims believe they need to complete a security check. Instead of a harmless verification, they end up infecting their own machine.
This isn’t a spray-and-pray operation. The attackers are being selective about who they target. The lure pages are localized in Spanish and reference well-known Mexican financial institutions. That level of specificity suggests the group behind REF6045 has done its homework on the local banking ecosystem.
How the Infection Chain Works
The attack starts when a user lands on a compromised or malicious website. A pop-up appears, mimicking a standard CAPTCHA challenge. The page instructs the visitor to press a specific key combination — often Windows Key + R — then paste a provided script into the Run dialog and hit Enter.
Here’s the kicker: the script is not a CAPTCHA solver. It’s a PowerShell command that reaches out to a remote server, downloads the SCMBANKER malware, and executes it silently in the background. The victim sees nothing unusual — the page might even show a fake “Verification Successful” message — while the malware burrows into the system.
Elastic’s analysis shows the toolkit is modular. It can steal credentials, intercept SMS-based two-factor authentication codes, log keystrokes, and take screenshots. That’s a dangerous combination for anyone doing online banking.
Why Mexican Users Are in the Crosshairs
Mexico has seen a rapid shift toward digital payments and mobile banking over the past few years. That growth has caught the attention of cybercriminal groups. SCMBANKER malware is specifically designed to hook into banking sessions, read account balances, and initiate unauthorized transfers.
The campaign also targets users of cryptocurrency exchanges. That’s a notable development. Criminals are increasingly blending traditional banking fraud with crypto theft, siphoning funds from both fiat and digital wallets in a single sweep.
Elastic Security Labs notes that the infrastructure behind REF6045 is still active. New domains and command-and-control servers are being spun up regularly. This isn’t a one-off — it’s an ongoing threat that’s likely to evolve.
ClickFix: A Growing Social Engineering Trend
The ClickFix lure technique has been gaining traction across multiple malware families. It exploits a basic human tendency: people follow instructions when they think they’re solving a problem. By wrapping the infection chain inside a fake security check, attackers bypass many traditional defenses.
Static antivirus engines often miss these attacks because the initial payload is not a file — it’s a command typed directly by the user. That’s a blind spot. No email attachment to scan, no link to inspect. Just a few keystrokes, and the damage is done.
For users of WhatsApp HD photo sending or other everyday apps, this kind of social engineering can feel indistinguishable from a legitimate prompt. The attackers invest in good design — the fake CAPTCHA pages look polished, with proper logos and color schemes.
Protecting Yourself from CAPTCHA-Based Malware
Defense starts with skepticism. No legitimate CAPTCHA will ever ask you to open a Run dialog or paste a script. If a website demands that, close the tab immediately.
Organizations can also deploy application whitelisting and PowerShell execution policies to block unauthorized scripts. For individuals, using a standard (non-administrator) user account limits what the malware can do after installation.
Elastic Security Labs recommends monitoring for unusual PowerShell activity and outbound connections to unknown IPs. Their full report on REF6045 includes indicators of compromise — domains, hashes, and command patterns — that security teams can use for detection.
What Comes Next
The SCMBANKER malware campaign is a reminder that banking trojans are not a relic of the 2010s. They’ve adapted. They now use modern social engineering, modular code, and multi-target strategies that span both traditional banks and crypto platforms.
As Mexican financial institutions continue to digitize, the attack surface will only widen. Security awareness training, especially around unusual CAPTCHA prompts, is no longer optional — it’s a frontline defense.
For users who want to stay safe, the rule is simple: if a page asks you to paste code into a Run box, don’t. That’s not a verification. That’s an infection.