{ "type": "Domain", "indicator": "hamarit.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hamarit.com", "alexa": "http://www.alexa.com/siteinfo/hamarit.com", "indicator": "hamarit.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4145919266, "indicator": "hamarit.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "695054a50f46b6d86ba8518d", "name": "The Lie of \"Local Processing\": How PDFClick \"Shadows\" User Files to a Remote Server", "description": "Recent analysis has uncovered a malicious software known as PDFClick, which utilizes a modified version of PyInstaller to package rogue applications. This software primarily targets systems with Google Chrome installed, exhibiting behavior tailored to gain persistence and download additional components. Specifically, when PDFClick is executed, it checks for the presence of Chrome; if detected, it automates the download of an updater component and creates scheduled tasks to ensure it remains present on the system. If Chrome is absent, the malware circumvents the download process entirely.", "modified": "2025-12-27T21:50:29.311000", "created": "2025-12-27T21:50:29.311000", "tags": [ "pdfclick", "exception", "strong", "localappdata", "kb md5", "pyinstaller", "raise", "zlib", "error", "false", "trigger", "stealc", "optimizer", "scroll" ], "references": [ "https://rayblog.rising.com.cn/2025/10/%E6%9C%AC%E5%9C%B0%E5%A4%84%E7%90%86%E7%9A%84%E8%B0%8E%E8%A8%80%EF%BC%9Apdfclick%E5%A6%82%E4%BD%95%E5%B0%86%E7%94%A8%E6%88%B7%E6%96%87%E4%BB%B6%E6%9A%97%E6%B8%A1%E9%99%88/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "157 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690af463e1d04564532324cf", "name": "IOC - \u201c\u672c\u5730\u5904\u7406\u201d\u7684\u8c0e\u8a00\uff1aPDFClick\u5982\u4f55\u5c06\u7528\u6237\u6587\u4ef6\u201c\u6697\u6e21\u9648\u4ed3\u201d\u81f3\u8fdc\u7a0b\u670d\u52a1\u5668", "description": "\u8fd1\u65e5\u745e\u661f\u5a01\u80c1\u60c5\u62a5\u5e73\u53f0\u6355\u83b7\u5230\u4e00\u6b3e\u540d\u4e3aPDFClick\u7684\u6d41\u6c13\u8f6f\u4ef6\uff0c\u8be5\u8f6f\u4ef6\u4e3a\u9b54\u6539\u7684PyInstaller\u6253\u5305\u7684EXE\u6587\u4ef6\uff0c\u5176\u8fd0\u884c\u884c\u4e3a\u5177\u6709\u660e\u663e\u7684\u6761\u4ef6\u5224\u65ad\u903b\u8f91\uff1a\u82e5\u68c0\u6d4b\u5230\u7cfb\u7edf\u5df2\u5b89\u88c5Chrome\u6d4f\u89c8\u5668\uff0c\u5219\u81ea\u52a8\u4e0b\u8f7d\u66f4\u65b0\u7a0b\u5e8f\u5e76\u6dfb\u52a0\u8ba1\u5212\u4efb\u52a1\u4ee5\u5b9e\u73b0\u6301\u4e45\u5316\u9a7b\u7559\uff1b\u82e5\u672a\u68c0\u6d4b\u5230Chrome\u6d4f\u89c8\u5668\uff0c\u5219\u8df3\u8fc7\u4e0b\u8f7d\u6b65\u9aa4\u3002\u66f4\u65b0\u7a0b\u5e8f\u4f1a\u8fdb\u4e00\u6b65\u5224\u65ad\u5f53\u524d\u8fdb\u7a0b\u662f\u5426\u572864\u4f4d\u6a21\u5f0f\u4e0b\u8fd0\u884c\uff0c\u5e76\u901a\u8fc7\u591a\u79cd\u65b9\u5f0f\u52a0\u8f7d\u4ece\u670d\u52a1\u7aef\u56de\u4f20\u7684\u52a0\u5bc6\u6570\u636e\u3002\n\n\u2003\u2003\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u8be5\u8f6f\u4ef6\u5b98\u7f51\u5ba3\u79f0\u5176\u529f\u80fd\u4e3a\u201c\u672c\u5730\u5904\u7406\u6240\u6709\u6587\u4ef6\u201d\uff0c\u4f46\u901a\u8fc7\u6280\u672f\u5206\u6790\u53d1\u73b0\uff0c\u5176\u5b9e\u9645\u6587\u4ef6\u5904\u7406\u903b\u8f91\u4e3a\u5c06\u7528\u6237\u6587\u4ef6\u4e0a\u4f20\u81f3\u8fdc\u7a0b\u670d\u52a1\u5668\u8fdb\u884c\u5904\u7406\uff0c\u8fd9\u4e00\u884c\u4e3a\u4e0e\u5b98\u7f51\u63cf\u8ff0\u5b58\u5728\u663e\u8457\u77db\u76fe\uff0c\u8868\u660e\u5176\u53ef\u80fd\u5b58\u5728\u6570\u636e\u6cc4\u9732\u6216\u6076\u610f\u64cd\u4f5c\u98ce\u9669\u3002", "modified": "2025-11-05T06:53:20.366000", "created": "2025-11-05T06:53:20.366000", "tags": [], "references": [ "https://rayblog.rising.com.cn/2025/10/%e6%9c%ac%e5%9c%b0%e5%a4%84%e7%90%86%e7%9a%84%e8%b0%8e%e8%a8%80%ef%bc%9apdfclick%e5%a6%82%e4%bd%95%e5%b0%86%e7%94%a8%e6%88%b7%e6%96%87%e4%bb%b6%e6%9a%97%e6%b8%a1%e9%99%88/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "209 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://rayblog.rising.com.cn/2025/10/%e6%9c%ac%e5%9c%b0%e5%a4%84%e7%90%86%e7%9a%84%e8%b0%8e%e8%a8%80%ef%bc%9apdfclick%e5%a6%82%e4%bd%95%e5%b0%86%e7%94%a8%e6%88%b7%e6%96%87%e4%bb%b6%e6%9a%97%e6%b8%a1%e9%99%88/", "Nov.Week1.pdf", "https://rayblog.rising.com.cn/2025/10/%E6%9C%AC%E5%9C%B0%E5%A4%84%E7%90%86%E7%9A%84%E8%B0%8E%E8%A8%80%EF%BC%9Apdfclick%E5%A6%82%E4%BD%95%E5%B0%86%E7%94%A8%E6%88%B7%E6%96%87%E4%BB%B6%E6%9A%97%E6%B8%A1%E9%99%88/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "695054a50f46b6d86ba8518d", "name": "The Lie of \"Local Processing\": How PDFClick \"Shadows\" User Files to a Remote Server", "description": "Recent analysis has uncovered a malicious software known as PDFClick, which utilizes a modified version of PyInstaller to package rogue applications. This software primarily targets systems with Google Chrome installed, exhibiting behavior tailored to gain persistence and download additional components. Specifically, when PDFClick is executed, it checks for the presence of Chrome; if detected, it automates the download of an updater component and creates scheduled tasks to ensure it remains present on the system. If Chrome is absent, the malware circumvents the download process entirely.", "modified": "2025-12-27T21:50:29.311000", "created": "2025-12-27T21:50:29.311000", "tags": [ "pdfclick", "exception", "strong", "localappdata", "kb md5", "pyinstaller", "raise", "zlib", "error", "false", "trigger", "stealc", "optimizer", "scroll" ], "references": [ "https://rayblog.rising.com.cn/2025/10/%E6%9C%AC%E5%9C%B0%E5%A4%84%E7%90%86%E7%9A%84%E8%B0%8E%E8%A8%80%EF%BC%9Apdfclick%E5%A6%82%E4%BD%95%E5%B0%86%E7%94%A8%E6%88%B7%E6%96%87%E4%BB%B6%E6%9A%97%E6%B8%A1%E9%99%88/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "157 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690af463e1d04564532324cf", "name": "IOC - \u201c\u672c\u5730\u5904\u7406\u201d\u7684\u8c0e\u8a00\uff1aPDFClick\u5982\u4f55\u5c06\u7528\u6237\u6587\u4ef6\u201c\u6697\u6e21\u9648\u4ed3\u201d\u81f3\u8fdc\u7a0b\u670d\u52a1\u5668", "description": "\u8fd1\u65e5\u745e\u661f\u5a01\u80c1\u60c5\u62a5\u5e73\u53f0\u6355\u83b7\u5230\u4e00\u6b3e\u540d\u4e3aPDFClick\u7684\u6d41\u6c13\u8f6f\u4ef6\uff0c\u8be5\u8f6f\u4ef6\u4e3a\u9b54\u6539\u7684PyInstaller\u6253\u5305\u7684EXE\u6587\u4ef6\uff0c\u5176\u8fd0\u884c\u884c\u4e3a\u5177\u6709\u660e\u663e\u7684\u6761\u4ef6\u5224\u65ad\u903b\u8f91\uff1a\u82e5\u68c0\u6d4b\u5230\u7cfb\u7edf\u5df2\u5b89\u88c5Chrome\u6d4f\u89c8\u5668\uff0c\u5219\u81ea\u52a8\u4e0b\u8f7d\u66f4\u65b0\u7a0b\u5e8f\u5e76\u6dfb\u52a0\u8ba1\u5212\u4efb\u52a1\u4ee5\u5b9e\u73b0\u6301\u4e45\u5316\u9a7b\u7559\uff1b\u82e5\u672a\u68c0\u6d4b\u5230Chrome\u6d4f\u89c8\u5668\uff0c\u5219\u8df3\u8fc7\u4e0b\u8f7d\u6b65\u9aa4\u3002\u66f4\u65b0\u7a0b\u5e8f\u4f1a\u8fdb\u4e00\u6b65\u5224\u65ad\u5f53\u524d\u8fdb\u7a0b\u662f\u5426\u572864\u4f4d\u6a21\u5f0f\u4e0b\u8fd0\u884c\uff0c\u5e76\u901a\u8fc7\u591a\u79cd\u65b9\u5f0f\u52a0\u8f7d\u4ece\u670d\u52a1\u7aef\u56de\u4f20\u7684\u52a0\u5bc6\u6570\u636e\u3002\n\n\u2003\u2003\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u8be5\u8f6f\u4ef6\u5b98\u7f51\u5ba3\u79f0\u5176\u529f\u80fd\u4e3a\u201c\u672c\u5730\u5904\u7406\u6240\u6709\u6587\u4ef6\u201d\uff0c\u4f46\u901a\u8fc7\u6280\u672f\u5206\u6790\u53d1\u73b0\uff0c\u5176\u5b9e\u9645\u6587\u4ef6\u5904\u7406\u903b\u8f91\u4e3a\u5c06\u7528\u6237\u6587\u4ef6\u4e0a\u4f20\u81f3\u8fdc\u7a0b\u670d\u52a1\u5668\u8fdb\u884c\u5904\u7406\uff0c\u8fd9\u4e00\u884c\u4e3a\u4e0e\u5b98\u7f51\u63cf\u8ff0\u5b58\u5728\u663e\u8457\u77db\u76fe\uff0c\u8868\u660e\u5176\u53ef\u80fd\u5b58\u5728\u6570\u636e\u6cc4\u9732\u6216\u6076\u610f\u64cd\u4f5c\u98ce\u9669\u3002", "modified": "2025-11-05T06:53:20.366000", "created": "2025-11-05T06:53:20.366000", "tags": [], "references": [ "https://rayblog.rising.com.cn/2025/10/%e6%9c%ac%e5%9c%b0%e5%a4%84%e7%90%86%e7%9a%84%e8%b0%8e%e8%a8%80%ef%bc%9apdfclick%e5%a6%82%e4%bd%95%e5%b0%86%e7%94%a8%e6%88%b7%e6%96%87%e4%bb%b6%e6%9a%97%e6%b8%a1%e9%99%88/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "209 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hamarit.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hamarit.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780448042.1964853 }