Dateline: July 9, 2026
Sloppy Code, Open Servers, Real Victims: Inside REF6045
Click the fire hydrants. Prove you are human. Paste this into the Run box. That last step is where it falls apart. Elastic Security Labs just published research on a Mexican banking fraud crew running exactly that play, and behind the fake verification page sits a person watching a dashboard of infected machines, waiting for someone to open their bank.
What Happened?
Elastic tracks the operation as REF6045. The toolkit is called SCMBANKER, named after the SCM branding on the operator’s own control panels. Some components trace back to October 2025.
The lure is ClickFix. Victims land on a Spanish-language security verification page, complete an image challenge, then get told to paste a command into the Windows Run dialog. That command pulls down a batch script called validation.txt and pipes it straight into cmd.exe.
What follows is a stall tactic. A fake Windows Update screen fills the browser to keep the victim staring at a progress bar. A consent fatigue loop hammers UAC prompts until someone clicks yes. The cursor gets confined to a single pixel while modules download in the background. Then persistence lands in the Registry Run key and the Startup folder, and the machine reboots so everything relaunches clean.
From there a VBScript launcher fires several PowerShell modules at once. One watches for banking windows. One captures screenshots. One checks the clipboard every 300 milliseconds and swaps CLABE account numbers and card numbers for attacker-controlled ones.
Another throws a full screen fake bank warning on the display and pushes the victim to call a fake support line. If the operator decides a target is worth more effort, a module quietly installs Remote Utilities, a legitimate remote administration product, hides it, and strips the uninstall registry entries.
Targets include retail banks, business banking portals, fintechs, payment processors, cryptocurrency exchanges, investment platforms, SAT, and telecom services.
The Impact
Elastic is blunt about the quality. The tooling is crude. Copy paste batch files. Duplicated bitsadmin jobs. Obfuscation that ships its own key. The server was left wide open with directory listings, a full web root archive, and an unauthenticated file editor.
And it works anyway. The operator’s live victim counter and tagged machines show real people getting worked.
The AI angle is the part worth reading twice. Elastic found clear fingerprints of large language model generation across the scripts. Banner style comment scaffolding. Tutorial grade function headers sitting next to hand shortened variable names. Base64 encoded API calls with comments right beside them spelling out exactly what they decode to. And profanity stuffed into comments in the keylogger and rotation modules, apparently to push a model past its safety filters.
This is not autonomous AI attacking anyone. It is a low skill operator prompting a chatbot in Spanish and getting working multi stage malware out the other side. The barrier to writing a functional banking trojan just dropped to whoever can describe one.
Victims stay passive in the feed. The operator picks who to bother with, one IP at a time.
How to Avoid This
The whole chain depends on a person pasting a command into their own machine. That is the hinge.
- Block clipboard to Run dialog execution where policy allows.
- Train people that no legitimate CAPTCHA has ever asked them to open Windows Run.
- Watch for bitsadmin pulling files from raw IP addresses, since almost nothing benign does that.
- Alert on Registry Run key writes paired with run.vbs execution.
- Flag Remote Utilities and similar remote admin tools installing outside your change process.
- Keep an eye on rapid screenshot creation and outbound uploads from endpoints that have no business doing either.
- Banks should treat clipboard integrity as an actual control.
- If CLABE numbers can be rewritten between copy and paste, transfer confirmation screens are the last line, so make them show full account numbers and force a read.
Crude Malware Still Beats a Slow Detection Queue
SCMBANKER did not need a zero day. It needed a victim who pasted a command and a security stack that never connected bitsadmin, a Registry write, and a screenshot burst into one story.
Secure.com’s Digital Security Teammates read that chain as one incident, not five unrelated alerts.
- Behavioral detection across the full execution path, catching Run dialog abuse, bitsadmin downloads from bare IPs, and persistence writes as a linked sequence
- Automated alert triage that correlates endpoint signals instead of dropping them into separate queues nobody has time to review
- Continuous watch on remote administration tooling installing outside approved change windows
- Screenshot and exfiltration activity flagged against normal endpoint baselines
- Containment steps that fire on confirmation, before an operator picks your machine off their dashboard