How to remove SCMBANKER Trojan from the operating system

Trojan

Also Known As: SCMBANKER malware

Damage level:

Get free scan and check if your device is infected.

Remove it now

To use full-featured product, you have to purchase a license for Combo Cleaner. Seven days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

What kind of malware is SCMBANKER Trojan?

SCMBANKER Trojan is a banking trojan built in PowerShell and aimed at users of Mexican financial institutions. According to research by Elastic Security Labs, it is part of an active, operator-assisted fraud campaign tracked as REF6045.

The malware is delivered through ClickFix fake CAPTCHA pages that trick victims into running a malicious command. Once installed, it displays fake bank security alerts designed to panic victims into calling attacker-controlled phone numbers.

SCMBANKER also hijacks the clipboard, silently replacing CLABE account numbers and payment card numbers with attacker-controlled alternatives to redirect bank transfers. A commercial remote-access tool installed alongside the malware gives operators live control of the infected machine.

SCMBANKER Trojan malware

SCMBANKER Trojan overview

SCMBANKER is structured as a modular toolkit, with each PowerShell script responsible for a distinct part of the fraud operation. As documented by Elastic Security Labs, the campaign relies on a live operator dashboard, meaning real humans monitor infected machines and issue commands in near real time.

The malware sends a command and control beacon to the attacker's server every 30 seconds. Each check-in reports the machine name, a unique client ID, local and public IP addresses, and the status of installed components. Operators push commands back through text files hosted on the same server.

During installation, a fake Windows Update screen is displayed to distract the victim while the malware toolkit downloads in the background. The victim sees what appears to be a routine system update in progress, giving the malware time to set itself up undetected.

Banking fraud capabilities

SCMBANKER continuously monitors which windows are open on the infected computer. When it detects a title matching a Mexican bank, fintech platform, payment processor, cryptocurrency exchange, or the SAT (Mexico's tax authority), it immediately begins capturing screenshots at a rapid rate.

At that point, the malware can display a fake bank security page in the browser, designed to look like a real warning from the victim's own bank. These pages cite vague security problems, show a fake reference number, and urge the victim to call a phone number controlled by the attackers.

SCMBANKER can also redirect the victim to a fake banking portal entirely. It places a phishing URL into the clipboard and then simulates keystrokes to open it in the browser, replacing the real banking site without any obvious sign that a change has occurred.

Clipboard hijacking and remote access

In the background, SCMBANKER monitors the clipboard for CLABE numbers (18-digit Mexican bank routing identifiers) and 16-digit payment card numbers. When either format is detected, the value is silently replaced with an alternative loaded from a configuration file on the attacker's server.

The toolkit installs Remote Utilities, a legitimate commercial remote-access application, configured to silently connect to operator infrastructure. This gives attackers live screen access, full keyboard and mouse control, and the ability to interact with the victim's computer directly.

The malware also includes a keylogging module capable of recording everything the victim types and transmitting it to an attacker-controlled Telegram channel.

Persistence and defense evasion

SCMBANKER uses multiple methods to survive reboots. It writes a launch command to the Windows Registry Run key, ensuring it starts automatically at login. A VBScript file is also copied to the Windows Startup folder as a backup persistence mechanism.

The malware hides all its files by applying hidden and system attributes, making them invisible in standard folder views. It also removes the uninstall record for the Remote Utilities component, preventing it from appearing in the installed programs list.

During installation, a UAC bypass loop retries every 20 seconds until administrator access is granted. The malware also briefly traps the mouse cursor to a single pixel on screen, stopping the victim from interacting with the computer while the toolkit downloads in the background.

Threat Summary:
Name SCMBANKER malware
Threat Type Banking Trojan, Trojan, Clipper, Remote Access Trojan (RAT)
Detection Names AliCloud (Trojan:Win/Agent.dds), Huorong (HEUR:Trojan/Runner.e), Ikarus (Trojan.VBS.Agent), Kaspersky (Trojan.VBS.Agent.dar), Full List (VirusTotal)
Symptoms Banking Trojans are designed to stealthily infiltrate the victim's computer and remain silent. SCMBANKER may display fake bank security pages when banking sites are active; outside of those moments, no particular symptoms are clearly visible on an infected machine.
Distribution methods ClickFix, deceptive websites, social engineering.
Damage Banking fraud and financial theft, clipboard hijacking (CLABE numbers and card details silently replaced), unauthorized remote access to the victim's computer, identity theft, potential for additional malware infections.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.

Download Combo Cleaner

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Conclusion

SCMBANKER Trojan poses a direct financial risk to users of Mexican banking services. By combining fake bank overlays, clipboard hijacking, and operator-controlled remote access, it can intercept real bank transfers while keeping the victim completely unaware of what is happening.

Victims may suffer significant financial losses, identity theft, and full remote control of their computer by attackers. The malware's multiple persistence mechanisms and use of a legitimate remote-access tool make it difficult to detect without dedicated security software. It should be removed immediately.

More examples of banking trojans are Maverick, CHAVECLOAK, and Tinynuke.

How did SCMBANKER Trojan infiltrate my computer?

As documented by Elastic Security Labs, SCMBANKER is distributed through ClickFix fake CAPTCHA pages. These pages are hosted on attacker-controlled domains, written in Spanish, and designed to target Mexican internet users specifically.

Visitors see what appears to be a standard verification check. The page instructs them to press the Windows key and R to open the Run dialog, paste a command, and press Enter. Running that command downloads and executes the malware toolkit from an attacker-controlled server.

Once the script runs, a fake Windows Update screen appears while the malware installs in the background. More broadly, threats like SCMBANKER also reach victims through phishing emails, compromised websites, and malicious downloads from untrustworthy sources.

How to avoid installation of malware?

Be suspicious of any website that asks you to paste a command into the Windows Run dialog, PowerShell, or a terminal. Legitimate services never require this step. Download software only from official developer websites and avoid pirated content, key generators, and software cracks.

Keep your operating system and all software updated, and use a reputable security program to run regular scans. Avoid granting notification permissions to unfamiliar websites and be cautious with unexpected pop-ups or ads. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Fake CAPTCHA page (ClickFix) used to deliver SCMBANKER Trojan (source: elastic.co):

SCMBANKER Trojan fake CAPTCHA ClickFix delivery page

Fake Windows Update screen displayed as a distraction during SCMBANKER Trojan installation (source: elastic.co):

SCMBANKER Trojan fake Windows Update distraction screen

Fake bank security pages displayed by SCMBANKER Trojan to victims (source: elastic.co):

SCMBANKER Trojan fake bank security overlay page 1 SCMBANKER Trojan fake bank security overlay page 2 SCMBANKER Trojan fake bank security overlay page 3

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

DOWNLOAD Combo Cleaner

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

Malware process running in the Task Manager

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Autoruns application appearance

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Run Windows 7 or Windows XP in Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Run Windows 8 in Safe Mode with Networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Run Windows 10 in Safe Mode with Networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

manual malware removal step 3Extract the downloaded archive and run the Autoruns.exe file.

Extract Autoruns.zip archive and run Autoruns.exe application

manual malware removal step 4In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Refresh Autoruns application results

manual malware removal step 5Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

Delete malware in Autoruns

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Search for malware and delete it

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with SCMBANKER Trojan malware, should I format my storage device to get rid of it?

Reformatting the storage device will remove SCMBANKER Trojan, but it will also erase all data on the drive. Running a trusted security tool such as Combo Cleaner is the recommended first step, as it can remove the infection without destroying personal files.

What are the biggest issues that SCMBANKER Trojan malware can cause?

SCMBANKER Trojan can cause direct financial losses by silently replacing CLABE account numbers and card numbers in the clipboard, diverting transfers to attacker-controlled accounts. It also gives attackers remote control of the infected computer, which can lead to further data theft and additional malware infections.

What is the purpose of SCMBANKER Trojan malware?

The purpose of SCMBANKER Trojan is to commit banking fraud against users of Mexican financial institutions. It does this by displaying fake bank security alerts, hijacking clipboard content to redirect transfers, and giving operators live remote control of the victim's computer.

How did SCMBANKER Trojan malware infiltrate my computer?

SCMBANKER Trojan spreads through ClickFix-style fake CAPTCHA pages that instruct visitors to paste a malicious command into the Windows Run dialog. More broadly, threats of this type also reach victims through phishing emails, compromised websites, and malicious software downloads.

Will Combo Cleaner protect me from malware?

Yes. Combo Cleaner can detect and remove SCMBANKER Trojan and similar threats. Because this malware installs multiple persistence components, running a full system scan is important to make sure all parts of the infection are thoroughly eliminated.

Share:

facebook
X (Twitter)
linkedin
copy link
Tomas Meskauskas

Tomas Meskauskas

Expert security researcher, professional malware analyst

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats.

▼ Show Discussion

PCrisk security portal is brought by a company RCS LT.

Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Donate