{ "type": "Domain", "indicator": "grayhatwarefare.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/grayhatwarefare.com", "alexa": "http://www.alexa.com/siteinfo/grayhatwarefare.com", "indicator": "grayhatwarefare.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4337036869, "indicator": "grayhatwarefare.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "69f3f6fc9ae9b2297964a5a4", "name": "VirusTotal report for Test.docx + Other Civic Findings/CVE Linkings", "description": "1. CivicPlus.com Threat IndicatorsVT Status: Red Flagged [120+ references, 200+android APKS and tracking configs[js]].Suspicious MD5: 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223.Suspicious SHA1: 0ef5ceebb6efa99e12e888a993e56d557dff07fd.Behavioral Pattern: Multiple versions flagged with No Expiration (indicates persistent or hard-coded malicious components in related files).2. HitmanPro Findings (Feb 2025)File Action: Detected as Malware/Suspicious in C:\\Windows\\Installer and user data areas.Note: Typical of behavioral scanning identifying code injection or untrusted signatures, often flagged alongside browser data.3. SSO Autodesk Anomalies (Q1 2025)SAML Assertion Failure: Incorrect objectGUID mapping on IdP side, sending user.objectid as literal string instead of unique identifier. Potential credential abuse or IdP misconfiguration - Attached [Reportscivicplus_vt_red_flag_feb2025.loghmp_scan_022025] + test.docx which shows signs that resemble a test recall email.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-01T00:42:36.613000", "tags": [ "medium", "windows", "high", "alerts", "yara detections", "worm", "https domain", "tls sni", "io control", "installs", "virustotal", "copy", "explorer", "malware", "config by town", "civicplus", "beyond surveillance", "significant overreach" ], "references": [ "multiple_versions\tSHA1 of 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223\tNo Expiration", "", "CVE-2025-10898/10899/10900: Out-of-Bounds Write vulnerabilities found in parsed MODEL files.", "More elaborate 'text' exploits now exist that allow texts are now being distributed via ai drops in chats in the form of what would appear to be a hyperlink. This is a new genre of elevation in exploit.", "The 'test' email aligns perfectly with CVE-2022-30190, as indicated in my findings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1010, "FileHash-SHA1": 437, "FileHash-SHA256": 2319, "URL": 637, "email": 14, "hostname": 468, "domain": 101, "CVE": 9 }, "indicator_count": 4995, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "CVE-2025-10898/10899/10900: Out-of-Bounds Write vulnerabilities found in parsed MODEL files.", "multiple_versions\tSHA1 of 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223\tNo Expiration", "More elaborate 'text' exploits now exist that allow texts are now being distributed via ai drops in chats in the form of what would appear to be a hyperlink. This is a new genre of elevation in exploit.", "The 'test' email aligns perfectly with CVE-2022-30190, as indicated in my findings" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69f3f6fc9ae9b2297964a5a4", "name": "VirusTotal report for Test.docx + Other Civic Findings/CVE Linkings", "description": "1. CivicPlus.com Threat IndicatorsVT Status: Red Flagged [120+ references, 200+android APKS and tracking configs[js]].Suspicious MD5: 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223.Suspicious SHA1: 0ef5ceebb6efa99e12e888a993e56d557dff07fd.Behavioral Pattern: Multiple versions flagged with No Expiration (indicates persistent or hard-coded malicious components in related files).2. HitmanPro Findings (Feb 2025)File Action: Detected as Malware/Suspicious in C:\\Windows\\Installer and user data areas.Note: Typical of behavioral scanning identifying code injection or untrusted signatures, often flagged alongside browser data.3. SSO Autodesk Anomalies (Q1 2025)SAML Assertion Failure: Incorrect objectGUID mapping on IdP side, sending user.objectid as literal string instead of unique identifier. Potential credential abuse or IdP misconfiguration - Attached [Reportscivicplus_vt_red_flag_feb2025.loghmp_scan_022025] + test.docx which shows signs that resemble a test recall email.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-01T00:42:36.613000", "tags": [ "medium", "windows", "high", "alerts", "yara detections", "worm", "https domain", "tls sni", "io control", "installs", "virustotal", "copy", "explorer", "malware", "config by town", "civicplus", "beyond surveillance", "significant overreach" ], "references": [ "multiple_versions\tSHA1 of 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223\tNo Expiration", "", "CVE-2025-10898/10899/10900: Out-of-Bounds Write vulnerabilities found in parsed MODEL files.", "More elaborate 'text' exploits now exist that allow texts are now being distributed via ai drops in chats in the form of what would appear to be a hyperlink. This is a new genre of elevation in exploit.", "The 'test' email aligns perfectly with CVE-2022-30190, as indicated in my findings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1010, "FileHash-SHA1": 437, "FileHash-SHA256": 2319, "URL": 637, "email": 14, "hostname": 468, "domain": 101, "CVE": 9 }, "indicator_count": 4995, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "grayhatwarefare.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "grayhatwarefare.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237361.9963098 }