Find notable cyber news and cases, enriched with sources, timelines, and signals.

REF6045 ClickFix banking fraud campaign targeting Mexican financial users

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The REF6045 campaign is actively targeting customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges, using ClickFix lures to push victims into running a malicious command and installing SCMBANKER. The operation relies on fake CAPTCHA verification pages and a staged Windows update ruse to gain execution and persistence. Once established, the toolkit supports banking-session monitoring, clipboard hijacking, phishing redirects, and vishing overlays, creating a direct path to account takeover and transaction theft. Some components date back to October 2025, showing the activity has persisted beyond a single short-lived burst.

Related Happenings

CypherLoc phishing-led browser scareware campaign

Campaign
H score49 First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
H score38 First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
H score31 First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
H score34 First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Dort / DortDev abuse-enablement ecosystem behind Kimwolf

Threat Actor Meta
H score32 First: 28.02.2026 14:01 Last: 28.02.2026 14:01 Sources 1

About this happening: Public tracing in **2026** tied **Dort / DortDev** to the **Kimwolf** operator and to underground services that enabled **account abuse** at scale. The linkage matters because the...

Timeline

  1. 08.07.2026 15:52 2 articles · 1d ago

    REF6045 uses ClickFix lures against Mexican banking users

    Initial Disclosure

    REF6045 targets customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges with fake CAPTCHA verification pages that trick victims into running a malicious command in the Windows Run dialog and installing SCMBANKER, a PowerShell toolkit. The toolkit supports banking-session monitoring, screenshot capture, clipboard hijacking, phishing redirects, vishing overlays, and optional Remote Utilities installation, and some components date back to October 2025.

    Show sources