Back to Intelligence

HarborWatch Agent RAT: ClickFix via Fake Amazon Alerts — OTX Pulse Analysis

SA
Security Arsenal Team
July 9, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a sophisticated phishing campaign leveraging "ClickFix" social engineering to distribute the HarborWatch Agent, a custom Remote Access Trojan (RAT). Threat actors are exploiting the trust associated with Amazon brand reputation by sending spoofed security alerts regarding "suspicious account activity." These emails direct targets to lookalike domains where users are prompted to solve fake CAPTCHA challenges. Interacting with these pages triggers the ClickFix mechanism, ultimately leading to the download and execution of the HarborWatch Agent payload. The objective of this campaign appears to be establishing persistent surveillance capabilities and unauthorized remote access to infected endpoints.

Threat Actor / Malware Profile

HarborWatch Agent

  • Type: Custom Remote Access Trojan (RAT) / Monitoring Agent.
  • Distribution Method: Spear-phishing emails (Brand Impersonation: Amazon) hosting ClickFix landing pages.
  • Attack Vector: Fake CAPTCHA verification pages (ClickFix) that trick users into executing malicious PowerShell or Bash commands, often disguised as copy-paste fixes or system verification steps.
  • Payload Behavior: Designed for monitoring and remote control. Based on the classification as a "Monitoring RAT," it likely includes keylogging, screen capture, and file exfiltration modules.
  • Persistence Mechanism: While specific persistence IOCs are not fully detailed in this pulse, custom RATs of this nature typically establish persistence via Registry Run keys (Run/RunOnce) or Scheduled Tasks disguised as system updates.
  • C2 Communication: Custom RATs often utilize HTTP/HTTPS for Command & Control (C2) to blend in with normal web traffic, utilizing custom encoding for beaconing.

IOC Analysis

The provided indicators consist of payload file hashes and a delivery URL.

  • File Hashes (MD5, SHA1, SHA256): These artifacts are the droppers or payloads for HarborWatch Agent. SOC teams should block execution of files matching these hashes via EDR policies.
  • URL (https://amazonalert.xyz/download/code.txt): This domain serves as the payload delivery infrastructure. The use of a .txt extension suggests the payload may be a script or shellcode hosted in plain text, a common technique in ClickFix attacks to bypass basic filters.
  • Operationalization: immediately ingest these hashes into EDR and SIEM correlation engines. Block the domain amazonalert.xyz at the perimeter firewall and DNS resolvers. Use threat intelligence platforms (TIPs) like AlienVault OTX to automate the propagation of these blocks to NGFWs.

Detection Engineering

Sigma Rules

YAML
---
title: HarborWatch Agent Execution via Known Hashes
id: 4f8a9c12-7b3d-4a1e-9c2f-1a2b3c4d5e6f
description: Detects execution of processes with file hashes associated with the HarborWatch Agent campaign.
status: experimental
date: 2026/07/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/678a9c12-7b3d-4a1e
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Hashes|contains:
            - '09c121225fe254676a27c21943506714'
            - '33760b2aa86deea5805e647197c34ef5'
            - '9abebe5a34eefb80db12bf8d51bfe7f7'
            - 'b31f62e1d3b28808daad3ec5efa5df54ae56898d'
            - '3a87cab1e8c6868a7939eb422f1851ecc746405cda6b3d3502b9d8eedc360898'
            - '5f7bb80bf85c1fae7413eb534cc2f022402c8753f75666525adb1dc85a677f4c'
            - 'cf94ff2ecc4f3157704c9cfed5e446c405e7729141019045cb05ef6ffad122d5'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Suspicious Connection to HarborWatch C2 or Delivery Domain
id: 5a9b0d23-8c4e-5b2f-0d3e-2b3c4d5e6f7g
description: Detects network connections to the known HarborWatch delivery domain amazonalert.xyz.
status: experimental
date: 2026/07/09
author: Security Arsenal
logsource:
    product: zeek
    category: http
detection:
    selection:
        host|contains: 'amazonalert.xyz'
    condition: selection
falsepositives:
    - Legitimate access (unlikely given domain nature)
level: high
---
title: Potential ClickFix Activity via PowerShell and Text Files
id: 6b0c1e34-9d5f-6c3g-1e4f-3c4d5e6f7g8h
description: Detects suspicious PowerShell commands often used in ClickFix campaigns downloading .txt files.
status: experimental
date: 2026/07/09
author: Security Arsenal
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith: '\powershell.exe'
    selection_cli:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'iwr'
            - 'curl'
            - 'DownloadString'
    selection_ext:
        CommandLine|contains: '.txt'
    condition: all of selection_*
falsepositives:
    - Administrative scripts
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to the malicious domain
DeviceNetworkEvents
| where RemoteUrl contains "amazonalert.xyz"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend Alert = "HarborWatch C2/Delivery Connection"

// Hunt for execution of known malicious hashes
DeviceProcessEvents
| where SHA256 in ("3a87cab1e8c6868a7939eb422f1851ecc746405cda6b3d3502b9d8eedc360898", "5f7bb80bf85c1fae7413eb534cc2f022402c8753f75666525adb1dc85a677f4c", "cf94ff2ecc4f3157704c9cfed5e446c405e7729141019045cb05ef6ffad122d5") or MD5 in ("09c121225fe254676a27c21943506714", "33760b2aa86deea5805e647197c34ef5", "9abebe5a34eefb80db12bf8d51bfe7f7")
| project Timestamp, DeviceName, AccountName, FolderPath, SHA256, MD5
| extend Alert = "HarborWatch Agent Execution"

PowerShell Hunt Script

PowerShell
# HarborWatch Agent IOC Hunt Script
# Checks for presence of specific file hashes on the system

$MaliciousHashes = @(
    "09c121225fe254676a27c21943506714",
    "33760b2aa86deea5805e647197c34ef5",
    "9abebe5a34eefb80db12bf8d51bfe7f7",
    "b31f62e1d3b28808daad3ec5efa5df54ae56898d",
    "3a87cab1e8c6868a7939eb422f1851ecc746405cda6b3d3502b9d8eedc360898",
    "5f7bb80bf85c1fae7413eb534cc2f022402c8753f75666525adb1dc85a677f4c",
    "cf94ff2ecc4f3157704c9cfed5e446c405e7729141019045cb05ef6ffad122d5"
)

Write-Host "Scanning for HarborWatch Agent IOCs..." -ForegroundColor Cyan

# Common download locations and temp folders
$PathsToScan = @(
    "$env:USERPROFILE\Downloads",
    "$env:TEMP",
    "$env:APPDATA",
    "C:\Windows\Temp"
)

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[THREAT DETECTED] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "Scan complete." -ForegroundColor Green

Response Priorities

Immediate

  • Block IOCs: Immediately block the domain amazonalert.xyz and all associated file hashes on perimeter defenses, proxies, and EDR solutions.
  • Hunt for Artifacts: Execute the provided PowerShell script or KQL queries across the enterprise to identify if any endpoints have already contacted the C2 or executed the payload.

24h

  • Email Audit: Search mail logs for emails spoofing Amazon security alerts or containing links to amazonalert.xyz. Quarantine any active threats.
  • Identity Verification: Although HarborWatch is primarily a RAT, campaigns like this often pivot to credential theft. Audit accounts of users who clicked suspicious links.

1 Week

  • Architecture Hardening: Implement DMARC, SPF, and DKIM strictly to prevent brand spoofing. Conduct security awareness training specifically focusing on "ClickFix" and fake CAPTCHA techniques.
  • Web Filtering: Update web filtering categories to block newly registered domains (NRDs) and lookalike domains for high-value targets like Amazon and Microsoft.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptharborwatch-agentclickfixremote-access-trojanphishingapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.