zeroday.news · 19h ago·high
ClickFix to Cash-Out: Anatomy of a Mexican Banking-Fraud Toolkit
A sophisticated banking fraud operation, dubbed REF6045, utilizes a PowerShell toolkit named SCMBANKER, delivered via fake CAPTCHA pages. Unlike automated attacks, this operation is manually controlled, allowing operators to monitor victim banking sessions, deploy fake warnings, and manipulate browser activity. The toolkit also facilitates the installation of commercial remote access tools for full system takeover. Researchers discovered the operation through exposed directories and archives, revealing the use of AI-generated scripts and operator misconfigurations.