REF6045 ClickFix banking fraud campaign targeting Mexican financial users
Campaign
Summary
Hide ▲
Show ▼
The REF6045 campaign is actively targeting customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges, using ClickFix lures to push victims into running a malicious command and installing SCMBANKER. The operation relies on fake CAPTCHA verification pages and a staged Windows update ruse to gain execution and persistence. Once established, the toolkit supports banking-session monitoring, clipboard hijacking, phishing redirects, and vishing overlays, creating a direct path to account takeover and transaction theft. Some components date back to October 2025, showing the activity has persisted beyond a single short-lived burst.
Related Happenings
CypherLoc phishing-led browser scareware campaign
Campaign
H score49
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
H score31
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
H score34
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Dort / DortDev abuse-enablement ecosystem behind Kimwolf
Threat Actor Meta
H score32
First: 28.02.2026 14:01
Last: 28.02.2026 14:01
Sources 1
About this happening:
Public tracing in **2026** tied **Dort / DortDev** to the **Kimwolf** operator and to underground services that enabled **account abuse** at scale. The linkage matters because the...
Dort / DortDev abuse-enablement ecosystem behind Kimwolf
Threat Actor MetaAbout this happening: Public tracing in **2026** tied **Dort / DortDev** to the **Kimwolf** operator and to underground services that enabled **account abuse** at scale. The linkage matters because the...
Timeline
-
08.07.2026 15:52 2 articles · 1d ago
REF6045 uses ClickFix lures against Mexican banking users
Initial DisclosureREF6045 targets customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges with fake CAPTCHA verification pages that trick victims into running a malicious command in the Windows Run dialog and installing SCMBANKER, a PowerShell toolkit. The toolkit supports banking-session monitoring, screenshot capture, clipboard hijacking, phishing redirects, vishing overlays, and optional Remote Utilities installation, and some components date back to October 2025.
Show sources
- SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users — thehackernews.com — 08.07.2026 15:52
- SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users — thehackernews.com — 08.07.2026 15:52