ClickFix Malware Hijacks Fake Amazon Alert to Drop HarborWatch Agent

A new ClickFix malware campaign is turning Amazon’s trusted name against its own customers. Researchers at the Cofense Phishing Defense Center uncovered the scheme. Notably, the attack convinces victims to infect their own machines. According to Cofense, the operators turn users into the mechanism of their own infection. The final payload is a custom remote access trojan called HarborWatch Agent.

A Familiar Brand, a Fake Alert

The attack begins with a single phishing email. Specifically, it arrives with the subject Security alert: Login activity anomaly notification. The message impersonates Amazon’s security team. Moreover, it claims the account was locked due to suspicious activity. It even lists fake login details to manufacture urgency.

A bold “Verify Account Information” button then pushes the recipient to act.

The ClickFix Trap

Clicking that button sends victims to a lookalike domain. There, a page imitates a familiar CAPTCHA check. However, this check behaves strangely. Instead of selecting images, the user must run commands.

Turning Users Into the Attack

The page walks victims through a few short steps. First, it tells them to open the Windows Run dialog. Next, it has them paste clipboard content and press Enter. Unknown to the user, the clipboard already holds a hidden PowerShell command. Therefore, the victim triggers the infection personally. This self-infection twist defines every ClickFix malware campaign.

Inside the Infection Chain

The hidden command runs silently in the background. It then decodes a scrambled string and pulls down a second script. That script fetches a file disguised as “mysql.exe” and drops it into a temporary folder. Afterward, it runs the file with a special password argument. Without that argument, the payload refuses to start. Consequently, analysts struggle to inspect it.

Meet HarborWatch Agent

The final stage delivers the HarborWatch Agent RAT. Once active, it beacons out to a command-and-control server. From there, it quietly harvests system details. For example, it gathers the hostname, CPU count, disk usage, and uptime. It also requests fresh tasks through hidden API endpoints.

The Harbor Sentinel Panel

Cofense traced the C2 server to a Chinese-language admin panel. Branded as “Harbor Sentinel,” it lets operators watch infected hosts. In short, HarborWatch Agent does the spying, while Harbor Sentinel runs the dashboard.

Why This Matters

This ClickFix malware campaign shows how social engineering keeps shifting. Rather than risky attachments, attackers now coax victims into self-infection. As a result, traditional email filters may miss the threat entirely.

Indicators to Watch

Defenders should block the campaign’s known infrastructure. The lure leans on lookalike domains such as amazonassist[.]xyz and amazonattention[.]com. Meanwhile, the payload beacons to the address 185.193.127.44. Security teams can also hunt for a rogue mysql.exe inside the AppData Temp folder.

How to Stay Safe

Stay skeptical of urgent account warnings. Never paste unknown commands into the Run dialog. Above all, check Amazon alerts directly on the official site, not through email links.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy