www.elastic.co 7/7/2026, 10:31:09 PM · external

Mexican banking fraud gang uses SCMBANKER toolkit to steal data

Mexican banking fraud gang uses SCMBANKER toolkit to steal data
CyberSIXT Evidence Panel Source marked as original reporting

THE document discusses an active banking fraud operation in Mexico named REF6045, which employs a PowerShell toolkit called SCMBANKER to facilitate fraud against customers of banks and fintech services. SCMBANKER allows operators to monitor banking sessions, manipulate clipboard contents, and conduct voice phishing (vishing) attacks. The infection begins through deceptive CAPTCHA pages that download and execute SCMBANKER, leading to various methods for stealing banking information.

Key takeaways highlight how the operation's poor operational security led to the exposure of several tools and infrastructures used in the attacks. The paper details the methodology of the toolkit, its persistence mechanisms, and emphasizes the role of AI in the scripting process. The content also provides insight into the tactics and techniques aligned with the MITRE ATT&CK framework, emphasizing the need for detection and prevention measures against such operations.

View full article

Article by CyberSIXT