securityonline.info 7/14/2026, 6:21:19 AM · external

Fake CAPTCHA trick drops SCMBANKER on Mexican banks and fintechs

Fake CAPTCHA trick drops SCMBANKER on Mexican banks and fintechs
CyberSIXT Evidence Panel Source marked as original reporting
Threat Actor
REF6045

SECURITY analysts have detected a widespread banking fraud campaign by the threat group REF6045, targeting Mexican retail banks and fintechs. The operation involves deceptive web pages that utilize fake CAPTCHA challenges to trick victims into installing the SCMBANKER malware toolkit. This malware monitors banking sessions, captures screenshots, and manipulates clipboard data to steal financial information.

REFO45 relies on human operators for executing various malware modules and has made significant operational security mistakes, such as leaving server directories open to the public. Victims include retail bank customers and cryptocurrency traders, with unconfirmed financial damage. Security teams are advised to block known malicious domains and monitor for unusual network activity.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline