{ "type": "URL", "indicator": "https://www.google.com/gmail/about/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.google.com/gmail/about/", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4337200991, "indicator": "https://www.google.com/gmail/about/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69f3f6fc9ae9b2297964a5a4", "name": "VirusTotal report for Test.docx + Other Civic Findings/CVE Linkings", "description": "1. CivicPlus.com Threat IndicatorsVT Status: Red Flagged [120+ references, 200+android APKS and tracking configs[js]].Suspicious MD5: 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223.Suspicious SHA1: 0ef5ceebb6efa99e12e888a993e56d557dff07fd.Behavioral Pattern: Multiple versions flagged with No Expiration (indicates persistent or hard-coded malicious components in related files).2. HitmanPro Findings (Feb 2025)File Action: Detected as Malware/Suspicious in C:\\Windows\\Installer and user data areas.Note: Typical of behavioral scanning identifying code injection or untrusted signatures, often flagged alongside browser data.3. SSO Autodesk Anomalies (Q1 2025)SAML Assertion Failure: Incorrect objectGUID mapping on IdP side, sending user.objectid as literal string instead of unique identifier. Potential credential abuse or IdP misconfiguration - Attached [Reportscivicplus_vt_red_flag_feb2025.loghmp_scan_022025] + test.docx which shows signs that resemble a test recall email.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-01T00:42:36.613000", "tags": [ "medium", "windows", "high", "alerts", "yara detections", "worm", "https domain", "tls sni", "io control", "installs", "virustotal", "copy", "explorer", "malware", "config by town", "civicplus", "beyond surveillance", "significant overreach" ], "references": [ "multiple_versions\tSHA1 of 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223\tNo Expiration", "", "CVE-2025-10898/10899/10900: Out-of-Bounds Write vulnerabilities found in parsed MODEL files.", "More elaborate 'text' exploits now exist that allow texts are now being distributed via ai drops in chats in the form of what would appear to be a hyperlink. This is a new genre of elevation in exploit.", "The 'test' email aligns perfectly with CVE-2022-30190, as indicated in my findings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1010, "FileHash-SHA1": 437, "FileHash-SHA256": 2319, "URL": 637, "email": 14, "hostname": 468, "domain": 101, "CVE": 9 }, "indicator_count": 4995, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f9c353e548fe41549a2094", "name": "CAPE Sandbox - reseachers urgent cert revoke in here", "description": "Im focusing on critical only for revoke rn-\ncerts:2020-06-05 07:38:41 UTC\nIdentifier\ngit-remote-http\nAuthority\nApple Root CA\nDate Signed\nJun 5, 2020 at 7:38:41 AM\nTeam Identifier\nQ6M7LEEA66\n2 acrobat-\nSpcSpOpusInfo, 3.\nApple Inc.\nValid From\n05:09 PM 04/12/2018\nValid To\n05:09 PM 04/13/2023\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n0087E9AC8B1AF18819849544AC8FDADF2797831B\nSerial Number\n47 58 DF B2 D2 E4 1F 8D machos\n4Name\nDigiarty Software, Inc.\nStatus\nValid\nIssuer\nApple Inc.\nValid From\n10:15 AM 05/12/2020\nValid To\n10:15 AM 05/13/2025\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n91EECE441DC0DA64380FF25A146691437592507A\nSerial Number\n29 91 F2 F5 56 1F CD CF \n5Name\nApple Inc.\nStatus\nNotTrusted\nIssuer\nApple Inc.\nValid From\n10:34 PM 04/12/2013\nValid To\n10:34 PM 04/12/2021\nAlgorithm\nsha1WithRSAEncryption\nThumbprint\n013E2787748A74103D62D2CDBF77A1345517C482\nSerial Number\n2A DA 71 BA A7 BD 17 9F (still working)\n6 i will add rest in comments this ones critical", "modified": "2026-05-06T06:10:54.769000", "created": "2026-05-05T10:15:47.653000", "tags": [ "redacted for", "server", "privacy tech", "privacy admin", "date", "domain status", "country", "organization", "postal code", "stateprovince", "code", "registrar abuse", "trust", "issuer sectigo", "rsa code", "signing ca", "valid from", "valid", "valid usage", "code signing", "algorithm", "serial number", "memory pattern", "ip traffic", "domains", "urls http", "tls sni", "thumbprint", "valid issuer", "apple inc", "df b2", "d2 e4", "adobe inc", "issuer digicert", "ev code", "sha2", "name digiarty", "software", "status valid", "issuer apple", "f2 f5", "ba a7", "colorsync", "avfoundation", "cfnetwork file", "webkit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 897, "IPv4": 156, "FileHash-MD5": 100, "FileHash-SHA1": 199, "URL": 124, "hostname": 136, "domain": 31, "email": 1 }, "indicator_count": 1644, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f9c351adf63435d7a118ea", "name": "CAPE Sandbox - reseachers urgent cert revoke in here", "description": "Im focusing on critical only for revoke rn-\ncerts:2020-06-05 07:38:41 UTC\nIdentifier\ngit-remote-http\nAuthority\nApple Root CA\nDate Signed\nJun 5, 2020 at 7:38:41 AM\nTeam Identifier\nQ6M7LEEA66\n2 acrobat-\nSpcSpOpusInfo, 3.\nApple Inc.\nValid From\n05:09 PM 04/12/2018\nValid To\n05:09 PM 04/13/2023\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n0087E9AC8B1AF18819849544AC8FDADF2797831B\nSerial Number\n47 58 DF B2 D2 E4 1F 8D machos\n4Name\nDigiarty Software, Inc.\nStatus\nValid\nIssuer\nApple Inc.\nValid From\n10:15 AM 05/12/2020\nValid To\n10:15 AM 05/13/2025\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n91EECE441DC0DA64380FF25A146691437592507A\nSerial Number\n29 91 F2 F5 56 1F CD CF \n5Name\nApple Inc.\nStatus\nNotTrusted\nIssuer\nApple Inc.\nValid From\n10:34 PM 04/12/2013\nValid To\n10:34 PM 04/12/2021\nAlgorithm\nsha1WithRSAEncryption\nThumbprint\n013E2787748A74103D62D2CDBF77A1345517C482\nSerial Number\n2A DA 71 BA A7 BD 17 9F (still working)\n6 i will add rest in comments this ones critical", "modified": "2026-05-06T06:10:54.367000", "created": "2026-05-05T10:15:45.503000", "tags": [ "redacted for", "server", "privacy tech", "privacy admin", "date", "domain status", "country", "organization", "postal code", "stateprovince", "code", "registrar abuse", "trust", "issuer sectigo", "rsa code", "signing ca", "valid from", "valid", "valid usage", "code signing", "algorithm", "serial number", "memory pattern", "ip traffic", "domains", "urls http", "tls sni", "thumbprint", "valid issuer", "apple inc", "df b2", "d2 e4", "adobe inc", "issuer digicert", "ev code", "sha2", "name digiarty", "software", "status valid", "issuer apple", "f2 f5", "ba a7", "colorsync", "avfoundation", "cfnetwork file", "webkit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 897, "IPv4": 156, "FileHash-MD5": 100, "FileHash-SHA1": 199, "URL": 125, "hostname": 135, "domain": 32, "email": 1 }, "indicator_count": 1645, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f9c3482f0a487199f01dfe", "name": "CAPE Sandbox - reseachers urgent cert revoke in here", "description": "Im focusing on critical only for revoke rn-\ncerts:2020-06-05 07:38:41 UTC\nIdentifier\ngit-remote-http\nAuthority\nApple Root CA\nDate Signed\nJun 5, 2020 at 7:38:41 AM\nTeam Identifier\nQ6M7LEEA66\n2 acrobat-\nSpcSpOpusInfo, 3.\nApple Inc.\nValid From\n05:09 PM 04/12/2018\nValid To\n05:09 PM 04/13/2023\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n0087E9AC8B1AF18819849544AC8FDADF2797831B\nSerial Number\n47 58 DF B2 D2 E4 1F 8D machos\n4Name\nDigiarty Software, Inc.\nStatus\nValid\nIssuer\nApple Inc.\nValid From\n10:15 AM 05/12/2020\nValid To\n10:15 AM 05/13/2025\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n91EECE441DC0DA64380FF25A146691437592507A\nSerial Number\n29 91 F2 F5 56 1F CD CF \n5Name\nApple Inc.\nStatus\nNotTrusted\nIssuer\nApple Inc.\nValid From\n10:34 PM 04/12/2013\nValid To\n10:34 PM 04/12/2021\nAlgorithm\nsha1WithRSAEncryption\nThumbprint\n013E2787748A74103D62D2CDBF77A1345517C482\nSerial Number\n2A DA 71 BA A7 BD 17 9F (still working)\n6 i will add rest in comments this ones critical", "modified": "2026-05-05T12:01:34.624000", "created": "2026-05-05T10:15:36.709000", "tags": [ "redacted for", "server", "privacy tech", "privacy admin", "date", "domain status", "country", "organization", "postal code", "stateprovince", "code", "registrar abuse", "trust", "issuer sectigo", "rsa code", "signing ca", "valid from", "valid", "valid usage", "code signing", "algorithm", "serial number", "memory pattern", "ip traffic", "domains", "urls http", "tls sni", "thumbprint", "valid issuer", "apple inc", "df b2", "d2 e4", "adobe inc", "issuer digicert", "ev code", "sha2", "name digiarty", "software", "status valid", "issuer apple", "f2 f5", "ba a7", "colorsync", "avfoundation", "cfnetwork file", "webkit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1206, "IPv4": 185, "FileHash-MD5": 109, "FileHash-SHA1": 231, "URL": 300, "hostname": 276, "domain": 219, "email": 29, "CIDR": 6 }, "indicator_count": 2561, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f9c34e91ef1282eaf26b24", "name": "CAPE Sandbox - reseachers urgent cert revoke in here", "description": "Im focusing on critical only for revoke rn-\ncerts:2020-06-05 07:38:41 UTC\nIdentifier\ngit-remote-http\nAuthority\nApple Root CA\nDate Signed\nJun 5, 2020 at 7:38:41 AM\nTeam Identifier\nQ6M7LEEA66\n2 acrobat-\nSpcSpOpusInfo, 3.\nApple Inc.\nValid From\n05:09 PM 04/12/2018\nValid To\n05:09 PM 04/13/2023\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n0087E9AC8B1AF18819849544AC8FDADF2797831B\nSerial Number\n47 58 DF B2 D2 E4 1F 8D machos\n4Name\nDigiarty Software, Inc.\nStatus\nValid\nIssuer\nApple Inc.\nValid From\n10:15 AM 05/12/2020\nValid To\n10:15 AM 05/13/2025\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n91EECE441DC0DA64380FF25A146691437592507A\nSerial Number\n29 91 F2 F5 56 1F CD CF \n5Name\nApple Inc.\nStatus\nNotTrusted\nIssuer\nApple Inc.\nValid From\n10:34 PM 04/12/2013\nValid To\n10:34 PM 04/12/2021\nAlgorithm\nsha1WithRSAEncryption\nThumbprint\n013E2787748A74103D62D2CDBF77A1345517C482\nSerial Number\n2A DA 71 BA A7 BD 17 9F (still working)\n6 i will add rest in comments this ones critical", "modified": "2026-05-05T11:55:52.834000", "created": "2026-05-05T10:15:42.571000", "tags": [ "redacted for", "server", "privacy tech", "privacy admin", "date", "domain status", "country", "organization", "postal code", "stateprovince", "code", "registrar abuse", "trust", "issuer sectigo", "rsa code", "signing ca", "valid from", "valid", "valid usage", "code signing", "algorithm", "serial number", "memory pattern", "ip traffic", "domains", "urls http", "tls sni", "thumbprint", "valid issuer", "apple inc", "df b2", "d2 e4", "adobe inc", "issuer digicert", "ev code", "sha2", "name digiarty", "software", "status valid", "issuer apple", "f2 f5", "ba a7", "colorsync", "avfoundation", "cfnetwork file", "webkit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 897, "IPv4": 156, "FileHash-MD5": 100, "FileHash-SHA1": 200, "URL": 124, "hostname": 135, "domain": 31, "email": 1 }, "indicator_count": 1644, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "multiple_versions\tSHA1 of 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223\tNo Expiration", "CVE-2025-10898/10899/10900: Out-of-Bounds Write vulnerabilities found in parsed MODEL files.", "More elaborate 'text' exploits now exist that allow texts are now being distributed via ai drops in chats in the form of what would appear to be a hyperlink. This is a new genre of elevation in exploit.", "The 'test' email aligns perfectly with CVE-2022-30190, as indicated in my findings" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 4682 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "www.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69f3f6fc9ae9b2297964a5a4", "name": "VirusTotal report for Test.docx + Other Civic Findings/CVE Linkings", "description": "1. CivicPlus.com Threat IndicatorsVT Status: Red Flagged [120+ references, 200+android APKS and tracking configs[js]].Suspicious MD5: 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223.Suspicious SHA1: 0ef5ceebb6efa99e12e888a993e56d557dff07fd.Behavioral Pattern: Multiple versions flagged with No Expiration (indicates persistent or hard-coded malicious components in related files).2. HitmanPro Findings (Feb 2025)File Action: Detected as Malware/Suspicious in C:\\Windows\\Installer and user data areas.Note: Typical of behavioral scanning identifying code injection or untrusted signatures, often flagged alongside browser data.3. SSO Autodesk Anomalies (Q1 2025)SAML Assertion Failure: Incorrect objectGUID mapping on IdP side, sending user.objectid as literal string instead of unique identifier. Potential credential abuse or IdP misconfiguration - Attached [Reportscivicplus_vt_red_flag_feb2025.loghmp_scan_022025] + test.docx which shows signs that resemble a test recall email.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-01T00:42:36.613000", "tags": [ "medium", "windows", "high", "alerts", "yara detections", "worm", "https domain", "tls sni", "io control", "installs", "virustotal", "copy", "explorer", "malware", "config by town", "civicplus", "beyond surveillance", "significant overreach" ], "references": [ "multiple_versions\tSHA1 of 3f307fecb41ea75bb946e8fde73a3c36b548243411783c036a1e7ae6605e8223\tNo Expiration", "", "CVE-2025-10898/10899/10900: Out-of-Bounds Write vulnerabilities found in parsed MODEL files.", "More elaborate 'text' exploits now exist that allow texts are now being distributed via ai drops in chats in the form of what would appear to be a hyperlink. This is a new genre of elevation in exploit.", "The 'test' email aligns perfectly with CVE-2022-30190, as indicated in my findings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1010, "FileHash-SHA1": 437, "FileHash-SHA256": 2319, "URL": 637, "email": 14, "hostname": 468, "domain": 101, "CVE": 9 }, "indicator_count": 4995, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f9c353e548fe41549a2094", "name": "CAPE Sandbox - reseachers urgent cert revoke in here", "description": "Im focusing on critical only for revoke rn-\ncerts:2020-06-05 07:38:41 UTC\nIdentifier\ngit-remote-http\nAuthority\nApple Root CA\nDate Signed\nJun 5, 2020 at 7:38:41 AM\nTeam Identifier\nQ6M7LEEA66\n2 acrobat-\nSpcSpOpusInfo, 3.\nApple Inc.\nValid From\n05:09 PM 04/12/2018\nValid To\n05:09 PM 04/13/2023\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n0087E9AC8B1AF18819849544AC8FDADF2797831B\nSerial Number\n47 58 DF B2 D2 E4 1F 8D machos\n4Name\nDigiarty Software, Inc.\nStatus\nValid\nIssuer\nApple Inc.\nValid From\n10:15 AM 05/12/2020\nValid To\n10:15 AM 05/13/2025\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n91EECE441DC0DA64380FF25A146691437592507A\nSerial Number\n29 91 F2 F5 56 1F CD CF \n5Name\nApple Inc.\nStatus\nNotTrusted\nIssuer\nApple Inc.\nValid From\n10:34 PM 04/12/2013\nValid To\n10:34 PM 04/12/2021\nAlgorithm\nsha1WithRSAEncryption\nThumbprint\n013E2787748A74103D62D2CDBF77A1345517C482\nSerial Number\n2A DA 71 BA A7 BD 17 9F (still working)\n6 i will add rest in comments this ones critical", "modified": "2026-05-06T06:10:54.769000", "created": "2026-05-05T10:15:47.653000", "tags": [ "redacted for", "server", "privacy tech", "privacy admin", "date", "domain status", "country", "organization", "postal code", "stateprovince", "code", "registrar abuse", "trust", "issuer sectigo", "rsa code", "signing ca", "valid from", "valid", "valid usage", "code signing", "algorithm", "serial number", "memory pattern", "ip traffic", "domains", "urls http", "tls sni", "thumbprint", "valid issuer", "apple inc", "df b2", "d2 e4", "adobe inc", "issuer digicert", "ev code", "sha2", "name digiarty", "software", "status valid", "issuer apple", "f2 f5", "ba a7", "colorsync", "avfoundation", "cfnetwork file", "webkit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 897, "IPv4": 156, "FileHash-MD5": 100, "FileHash-SHA1": 199, "URL": 124, "hostname": 136, "domain": 31, "email": 1 }, "indicator_count": 1644, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f9c351adf63435d7a118ea", "name": "CAPE Sandbox - reseachers urgent cert revoke in here", "description": "Im focusing on critical only for revoke rn-\ncerts:2020-06-05 07:38:41 UTC\nIdentifier\ngit-remote-http\nAuthority\nApple Root CA\nDate Signed\nJun 5, 2020 at 7:38:41 AM\nTeam Identifier\nQ6M7LEEA66\n2 acrobat-\nSpcSpOpusInfo, 3.\nApple Inc.\nValid From\n05:09 PM 04/12/2018\nValid To\n05:09 PM 04/13/2023\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n0087E9AC8B1AF18819849544AC8FDADF2797831B\nSerial Number\n47 58 DF B2 D2 E4 1F 8D machos\n4Name\nDigiarty Software, Inc.\nStatus\nValid\nIssuer\nApple Inc.\nValid From\n10:15 AM 05/12/2020\nValid To\n10:15 AM 05/13/2025\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n91EECE441DC0DA64380FF25A146691437592507A\nSerial Number\n29 91 F2 F5 56 1F CD CF \n5Name\nApple Inc.\nStatus\nNotTrusted\nIssuer\nApple Inc.\nValid From\n10:34 PM 04/12/2013\nValid To\n10:34 PM 04/12/2021\nAlgorithm\nsha1WithRSAEncryption\nThumbprint\n013E2787748A74103D62D2CDBF77A1345517C482\nSerial Number\n2A DA 71 BA A7 BD 17 9F (still working)\n6 i will add rest in comments this ones critical", "modified": "2026-05-06T06:10:54.367000", "created": "2026-05-05T10:15:45.503000", "tags": [ "redacted for", "server", "privacy tech", "privacy admin", "date", "domain status", "country", "organization", "postal code", "stateprovince", "code", "registrar abuse", "trust", "issuer sectigo", "rsa code", "signing ca", "valid from", "valid", "valid usage", "code signing", "algorithm", "serial number", "memory pattern", "ip traffic", "domains", "urls http", "tls sni", "thumbprint", "valid issuer", "apple inc", "df b2", "d2 e4", "adobe inc", "issuer digicert", "ev code", "sha2", "name digiarty", "software", "status valid", "issuer apple", "f2 f5", "ba a7", "colorsync", "avfoundation", "cfnetwork file", "webkit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 897, "IPv4": 156, "FileHash-MD5": 100, "FileHash-SHA1": 199, "URL": 125, "hostname": 135, "domain": 32, "email": 1 }, "indicator_count": 1645, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f9c3482f0a487199f01dfe", "name": "CAPE Sandbox - reseachers urgent cert revoke in here", "description": "Im focusing on critical only for revoke rn-\ncerts:2020-06-05 07:38:41 UTC\nIdentifier\ngit-remote-http\nAuthority\nApple Root CA\nDate Signed\nJun 5, 2020 at 7:38:41 AM\nTeam Identifier\nQ6M7LEEA66\n2 acrobat-\nSpcSpOpusInfo, 3.\nApple Inc.\nValid From\n05:09 PM 04/12/2018\nValid To\n05:09 PM 04/13/2023\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n0087E9AC8B1AF18819849544AC8FDADF2797831B\nSerial Number\n47 58 DF B2 D2 E4 1F 8D machos\n4Name\nDigiarty Software, Inc.\nStatus\nValid\nIssuer\nApple Inc.\nValid From\n10:15 AM 05/12/2020\nValid To\n10:15 AM 05/13/2025\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n91EECE441DC0DA64380FF25A146691437592507A\nSerial Number\n29 91 F2 F5 56 1F CD CF \n5Name\nApple Inc.\nStatus\nNotTrusted\nIssuer\nApple Inc.\nValid From\n10:34 PM 04/12/2013\nValid To\n10:34 PM 04/12/2021\nAlgorithm\nsha1WithRSAEncryption\nThumbprint\n013E2787748A74103D62D2CDBF77A1345517C482\nSerial Number\n2A DA 71 BA A7 BD 17 9F (still working)\n6 i will add rest in comments this ones critical", "modified": "2026-05-05T12:01:34.624000", "created": "2026-05-05T10:15:36.709000", "tags": [ "redacted for", "server", "privacy tech", "privacy admin", "date", "domain status", "country", "organization", "postal code", "stateprovince", "code", "registrar abuse", "trust", "issuer sectigo", "rsa code", "signing ca", "valid from", "valid", "valid usage", "code signing", "algorithm", "serial number", "memory pattern", "ip traffic", "domains", "urls http", "tls sni", "thumbprint", "valid issuer", "apple inc", "df b2", "d2 e4", "adobe inc", "issuer digicert", "ev code", "sha2", "name digiarty", "software", "status valid", "issuer apple", "f2 f5", "ba a7", "colorsync", "avfoundation", "cfnetwork file", "webkit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1206, "IPv4": 185, "FileHash-MD5": 109, "FileHash-SHA1": 231, "URL": 300, "hostname": 276, "domain": 219, "email": 29, "CIDR": 6 }, "indicator_count": 2561, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f9c34e91ef1282eaf26b24", "name": "CAPE Sandbox - reseachers urgent cert revoke in here", "description": "Im focusing on critical only for revoke rn-\ncerts:2020-06-05 07:38:41 UTC\nIdentifier\ngit-remote-http\nAuthority\nApple Root CA\nDate Signed\nJun 5, 2020 at 7:38:41 AM\nTeam Identifier\nQ6M7LEEA66\n2 acrobat-\nSpcSpOpusInfo, 3.\nApple Inc.\nValid From\n05:09 PM 04/12/2018\nValid To\n05:09 PM 04/13/2023\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n0087E9AC8B1AF18819849544AC8FDADF2797831B\nSerial Number\n47 58 DF B2 D2 E4 1F 8D machos\n4Name\nDigiarty Software, Inc.\nStatus\nValid\nIssuer\nApple Inc.\nValid From\n10:15 AM 05/12/2020\nValid To\n10:15 AM 05/13/2025\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\n91EECE441DC0DA64380FF25A146691437592507A\nSerial Number\n29 91 F2 F5 56 1F CD CF \n5Name\nApple Inc.\nStatus\nNotTrusted\nIssuer\nApple Inc.\nValid From\n10:34 PM 04/12/2013\nValid To\n10:34 PM 04/12/2021\nAlgorithm\nsha1WithRSAEncryption\nThumbprint\n013E2787748A74103D62D2CDBF77A1345517C482\nSerial Number\n2A DA 71 BA A7 BD 17 9F (still working)\n6 i will add rest in comments this ones critical", "modified": "2026-05-05T11:55:52.834000", "created": "2026-05-05T10:15:42.571000", "tags": [ "redacted for", "server", "privacy tech", "privacy admin", "date", "domain status", "country", "organization", "postal code", "stateprovince", "code", "registrar abuse", "trust", "issuer sectigo", "rsa code", "signing ca", "valid from", "valid", "valid usage", "code signing", "algorithm", "serial number", "memory pattern", "ip traffic", "domains", "urls http", "tls sni", "thumbprint", "valid issuer", "apple inc", "df b2", "d2 e4", "adobe inc", "issuer digicert", "ev code", "sha2", "name digiarty", "software", "status valid", "issuer apple", "f2 f5", "ba a7", "colorsync", "avfoundation", "cfnetwork file", "webkit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 897, "IPv4": 156, "FileHash-MD5": 100, "FileHash-SHA1": 200, "URL": 124, "hostname": 135, "domain": 31, "email": 1 }, "indicator_count": 1644, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.google.com/gmail/about/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.google.com/gmail/about/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780248124.1448417 }