Hackers hijack Mexican bank customers with a hands-on fraud toolkit

A financially motivated crew is defrauding customers of Mexican banks by planting a hands-on-keyboard toolkit on their computers, then watching in real time as victims log into their accounts. Elastic Security Labs, which tracks the operation as REF6045, says a live human operator sits behind each infection, deciding when to lock the screen, push the victim onto a scam phone call, or swap the account number they just copied for one the attacker controls.

How victims get infected

The lure is a fake CAPTCHA. Victims land on a page styled as a routine "security verification" (one variant asks them to pick out fire hydrants in Spanish), which quietly copies a command to their clipboard and tells them to paste it into the Windows Run box. That command pulls a Windows batch script from the attackers' server and runs it, installing a PowerShell bundle the researchers named SCMBANKER. This clipboard-and-paste trick, known as ClickFix, is the same social engineering IntelFusions has covered in other recent campaigns.

To keep the victim distracted, the script opens a full-screen fake Windows Update page, pins the mouse cursor to a single pixel, and nags for administrator rights every 20 seconds until the user clicks "Yes".

A full fraud workflow

Once installed, SCMBANKER beacons to the operator every 30 seconds and runs more than a dozen modules in parallel. It watches window titles once a second for the names of banks, fintechs, payment processors, crypto exchanges, brokerages, Mexico's SAT tax authority, and telecoms. When a banking session opens, it starts snapping screenshots (about 42 per trigger) and alerts the operator. Other modules check the clipboard every 300 milliseconds and rewrite 18-digit CLABE account numbers and 16-digit card numbers so money moves to attacker-controlled accounts. For a full takeover, the operator can silently install Remote Utilities, a legitimate remote-access product, preconfigured to call home and stripped of its uninstall entry so victims cannot remove it.

The vishing module is what makes this operator-assisted rather than automatic. It maps a victim's public IP to a lock-screen overlay showing a fake bank warning that pushes them to phone a "support" line answered by the fraudsters.

Written with an AI assistant

Elastic found the scripts riddled with AI-generated artifacts, including tidy explanatory comments sitting above hand-obfuscated code and banner headers typical of large language model output. The researchers assess the operator prompted a model in Spanish (occasionally larding requests with profanity, possibly to slip past safety filters) and pasted the results with little review. Sloppy operator security, including open directories and a leaked web-root archive, is what exposed the tooling in the first place.

Indicators

Delivery and command-and-control infrastructure includes hxxps://negratomasa2026[.]online, with file servers at 68[.]211[.]161[.]46, 216[.]250[.]112[.]100, and 185[.]242[.]246[.]169. The operation has been iterating since at least October 2025 and heavily targets Mexico's financial sector. Read the original Elastic Security Labs report for the full technical breakdown.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions