From Fake Amazon Security Alert to HarborWatch Agent: ClickFix Delivery of a Custom Monitoring RAT
A sophisticated phishing campaign exploits Amazon's brand reputation through spoofed security alerts to deliver HarborWatch Agent, a custom remote access trojan. The attack chain begins with emails impersonating Amazon security notifications about suspicious account activity, directing victims to lookalike domains. Users are presented with fake CAPTCHA verification pages that employ ClickFix social engineering techniques, instructing them to execute PowerShell commands on their own systems. The multi-stage infection downloads mysql.exe from compromised infrastructure, which communicates with a Chinese-language command and control panel branded Harbor Sentinel. The RAT collects extensive system information including OS details, architecture, CPU count, disk usage, memory status, and network configurations, exfiltrating data through API endpoints to the threat actor's monitoring infrastructure.
AI Analysis
Technical Summary
A phishing campaign exploits Amazon's brand by sending spoofed security alert emails directing victims to lookalike domains with fake CAPTCHA pages. These pages use ClickFix social engineering techniques to convince users to execute PowerShell commands, which download and run a custom RAT named HarborWatch Agent. The RAT downloads a component named mysql.exe from compromised infrastructure and communicates with a Chinese-language command and control panel called Harbor Sentinel. It collects extensive system information including OS details, CPU count, disk usage, memory status, and network configurations, then exfiltrates this data via API endpoints to the attacker’s monitoring infrastructure. No CVE or specific vulnerable software versions are associated with this threat.
Potential Impact
The impact includes unauthorized remote access to infected systems, extensive system reconnaissance, and data exfiltration to attacker-controlled infrastructure. This compromises confidentiality and potentially enables further malicious activities. The threat actor gains persistent monitoring capabilities over victim systems through the HarborWatch Agent RAT.
Mitigation Recommendations
No official patch or remediation is available as this is a phishing and social engineering attack delivering malware. Mitigation focuses on user awareness to recognize phishing emails and avoid executing unsolicited PowerShell commands. Organizations should block and monitor access to the identified malicious domains and URLs. Endpoint detection and response solutions should be updated to detect the HarborWatch Agent and associated indicators of compromise. Since this is not a software vulnerability, patching is not applicable.
Indicators of Compromise
- hash: 09c121225fe254676a27c21943506714
- hash: 33760b2aa86deea5805e647197c34ef5
- hash: 9abebe5a34eefb80db12bf8d51bfe7f7
- hash: b31f62e1d3b28808daad3ec5efa5df54ae56898d
- hash: 3a87cab1e8c6868a7939eb422f1851ecc746405cda6b3d3502b9d8eedc360898
- hash: 5f7bb80bf85c1fae7413eb534cc2f022402c8753f75666525adb1dc85a677f4c
- hash: cf94ff2ecc4f3157704c9cfed5e446c405e7729141019045cb05ef6ffad122d5
- ip: 185.193.127.44
- url: https://amazonalert.xyz/download/code.txt
- url: https://amazonattention.com/verify
- domain: amazonalert.xyz
- domain: amazonattention.com
- domain: security.amazonassist.xyz
From Fake Amazon Security Alert to HarborWatch Agent: ClickFix Delivery of a Custom Monitoring RAT
Description
A sophisticated phishing campaign exploits Amazon's brand reputation through spoofed security alerts to deliver HarborWatch Agent, a custom remote access trojan. The attack chain begins with emails impersonating Amazon security notifications about suspicious account activity, directing victims to lookalike domains. Users are presented with fake CAPTCHA verification pages that employ ClickFix social engineering techniques, instructing them to execute PowerShell commands on their own systems. The multi-stage infection downloads mysql.exe from compromised infrastructure, which communicates with a Chinese-language command and control panel branded Harbor Sentinel. The RAT collects extensive system information including OS details, architecture, CPU count, disk usage, memory status, and network configurations, exfiltrating data through API endpoints to the threat actor's monitoring infrastructure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A phishing campaign exploits Amazon's brand by sending spoofed security alert emails directing victims to lookalike domains with fake CAPTCHA pages. These pages use ClickFix social engineering techniques to convince users to execute PowerShell commands, which download and run a custom RAT named HarborWatch Agent. The RAT downloads a component named mysql.exe from compromised infrastructure and communicates with a Chinese-language command and control panel called Harbor Sentinel. It collects extensive system information including OS details, CPU count, disk usage, memory status, and network configurations, then exfiltrates this data via API endpoints to the attacker’s monitoring infrastructure. No CVE or specific vulnerable software versions are associated with this threat.
Potential Impact
The impact includes unauthorized remote access to infected systems, extensive system reconnaissance, and data exfiltration to attacker-controlled infrastructure. This compromises confidentiality and potentially enables further malicious activities. The threat actor gains persistent monitoring capabilities over victim systems through the HarborWatch Agent RAT.
Mitigation Recommendations
No official patch or remediation is available as this is a phishing and social engineering attack delivering malware. Mitigation focuses on user awareness to recognize phishing emails and avoid executing unsolicited PowerShell commands. Organizations should block and monitor access to the identified malicious domains and URLs. Endpoint detection and response solutions should be updated to detect the HarborWatch Agent and associated indicators of compromise. Since this is not a software vulnerability, patching is not applicable.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://cofense.com/blog/from-fake-amazon-security-alert-to-harborwatch-agent-clickfix-delivery-of-a-custom-monitoring-rat"]
- Adversary
- null
- Pulse Id
- 6a28363f58453c0b99062360
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash09c121225fe254676a27c21943506714 | — | |
hash33760b2aa86deea5805e647197c34ef5 | — | |
hash9abebe5a34eefb80db12bf8d51bfe7f7 | — | |
hashb31f62e1d3b28808daad3ec5efa5df54ae56898d | — | |
hash3a87cab1e8c6868a7939eb422f1851ecc746405cda6b3d3502b9d8eedc360898 | — | |
hash5f7bb80bf85c1fae7413eb534cc2f022402c8753f75666525adb1dc85a677f4c | — | |
hashcf94ff2ecc4f3157704c9cfed5e446c405e7729141019045cb05ef6ffad122d5 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip185.193.127.44 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://amazonalert.xyz/download/code.txt | — | |
urlhttps://amazonattention.com/verify | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainamazonalert.xyz | — | |
domainamazonattention.com | — | |
domainsecurity.amazonassist.xyz | — |
Threat ID: 6a2942ce8dd33fbd852cc1cc
Added to database: 6/10/2026, 10:56:14 AM
Last enriched: 6/10/2026, 11:11:05 AM
Last updated: 6/10/2026, 2:05:29 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.