CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom
Elastic finds AI-assisted banking fraud ring in Mexico

Elastic finds AI-assisted banking fraud ring in Mexico

Thu, 9th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Elastic has detailed a banking fraud operation targeting customers of Mexican banks, fintechs, payment processors and cryptocurrency exchanges, saying the attackers appear to have used a large language model to help build much of their malware toolkit.

The company's threat research team said the operation, which it tracks as REF6045, uses a PowerShell-based toolkit called SCMBANKER to monitor victims' machines, watch for banking activity, capture screenshots, manipulate clipboard data and push victims into phone-based fraud. Elastic said the campaign also shows how cybercriminals are using generative AI in day-to-day operations rather than through autonomous agents or fully AI-driven attacks.

According to Elastic, the group's scripts contained clear traces of AI-assisted development, including explanatory comments embedded directly in the code, banner-style generated notes and profanity-laced prompts apparently aimed at bypassing model safeguards when producing more sensitive functions such as keylogging components.

Infection chain

Elastic said victims are infected through fake CAPTCHA-style verification pages. These pages instruct the user to run a command through the Windows Run dialogue, which then downloads and installs the SCMBANKER toolkit.

The company said the infection flow is designed to buy time and reduce user interference. After the initial script runs, it launches Microsoft Edge in kiosk mode to display a fake Windows Update screen. It then attempts to gain elevated privileges through repeated user account control prompts and, once elevated, can restrict mouse movement while additional tools are downloaded.

Elastic said the malware establishes persistence through Registry Run keys and startup folder entries, then forces a reboot so the installed components relaunch automatically.

The toolkit is built around a master Visual Basic script that starts multiple modules at once. Elastic said those modules support command-and-control communications, banking session monitoring, keylogging, phishing redirection, clipboard replacement and remote access installation.

Fraud workflow

Elastic described REF6045 as an operator-assisted fraud campaign rather than a fully automated one. It said a human operator monitors infected devices and decides how to proceed once a victim opens a banking session or visits another targeted service.

The banking activity monitoring module checks visible window titles every second and compares them against a list of targeted services. Elastic said the target list spans retail and business banking portals, fintech platforms, crypto exchanges, investment services, tax services and telecoms providers in Mexico.

If the malware detects a targeted service, it can trigger screenshot capture and exfiltration, display a full-screen warning overlay urging the victim to call a fake support number, or redirect the user's browser to a phishing page. Elastic said another module watches the system clipboard every 300 milliseconds and replaces copied CLABE bank account numbers or card numbers with attacker-controlled details.

For more direct access, the toolkit can install Remote Utilities Host, a legitimate remote administration product. Elastic said the malware hides the installation, sets up callback access for the operator and removes uninstall registry entries to make the software harder for victims to remove through standard Windows settings.

AI traces

Elastic's analysis focuses heavily on signs that the malware authors used an LLM to produce code. The company said the scripts showed a mix of heavily annotated, tutorial-style function headers and coarse language in comments, followed by limited manual obfuscation.

That pattern matters because it points to practical use of AI in criminal operations rather than the often broader claim that "AI writes malware". In this case, Elastic said the operator appears to have prompted the model in Spanish, taken the generated output with limited review and then layered minor changes on top before deployment.

The company's findings suggest that generative AI is lowering the effort needed to assemble and expand fraud tooling, especially for operators who are willing to ship code with minimal cleanup. Elastic said the traces were left so openly in the scripts that the development process was visible during analysis.

Open infrastructure

Elastic said the campaign also suffered from major operational security failures that exposed its infrastructure and tooling. The researchers found open directory listings on the actors' file servers, an unauthenticated text editor module that allowed live targeting configurations to be read or modified, and a public archive containing the group's web-root files.

That access, Elastic said, gave researchers visibility into the fraud operation's phishing pages, command-and-control infrastructure and targeting logic. It also helped show how the operators matched certain victims to specific fraudulent overlay pages and support phone numbers.

"REF6045 adapts ClickFix delivery into operator-assisted banking fraud, using fake verification pages to stage a PowerShell toolkit (SCMBANKER) on victim machines," said Elastic Security Labs.

"SCMBANKER gives operators a full fraud workflow: banking-session monitoring, screenshot capture, vishing overlays, phishing redirects, clipboard manipulation, and Remote Utilities installation," said Elastic Security Labs.

"The scripts are riddled with AI-generated artifacts, indicating that the operator used an LLM to write most of the tooling," said Elastic Security Labs.