Tech giant IBM is warning of a new cyberattack campaign that traps banking customers inside fake browser screens while attackers watch their sessions in real time.
A senior threat researcher at IBM Trusteer says the campaign is called OverlordMX and was identified in March 2026 targeting financial institutions in Latin America.
IBM says OverlordMX is an automated banking trojan with a “man-in-the-browser” framework. Unlike many automated banking trojans, IBM says the malware places a Spanish-speaking operator at the center of the attack, monitoring each victim’s banking session live.
The attack begins when malicious script injects hidden overlays into the victim’s web browser. IBM says the script tracks the victim’s current URL and browser information every three seconds while also checking for new commands from the attacker.
When the victim reaches a valuable moment, such as a login page, transfer screen or one-time password prompt, the attacker can activate a fake bank-branded overlay. IBM says the screen cannot be dismissed through normal actions, with no close button and blocked attempts to press ESC or click outside the window.
The overlays can collect names, phone numbers, emails, credentials, one-time passwords and other sensitive information. IBM says one overlay also pushes victims to download Remote Utilities Host, a legitimate remote management tool abused by the attacker as a remote access trojan.
Once installed, IBM says the operator can take control of the victim’s device, navigate the banking session, authorize fraudulent transfers and change account settings. IBM says stolen funds are transferred to mule accounts while the victim is occupied by a loading screen.
The company says the campaign’s delivery method has not yet been conclusively determined.
Follow us on X, Facebook and TelegramGenerated Image: Midjourney