DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

1. Enumerate subdomains via Certificate Transparency

Patrick Duggan
Oct 23, 2025
6 min read

title: "I Found Hidden C&C Infrastructure in a 'Proxy Detection' Service"

date: 2025-10-24

author: Patrick Duggan

category: Security Operations

tags: #Layer3Intel #C2Infrastructure #OWASP #RedTeam #CertificateTransparency #Tripwire #ProxyDetection

excerpt: After receiving a sales pitch from a convicted DDoS operator, I analyzed his "proxy detection" service. Found 3 hidden backend subdomains, WebSocket bypassing Cloudflare, and infrastructure that looks exactly like what residential proxy operators use. Here's the full technical breakdown.

**TL;DR:** A proxy detection service using proxy evasion techniques.

Context

Yesterday I published: ["I Caught the Guy Who Attacked Brian Krebs. He's Selling the Solution Now."](https://www.dugganusa.com/post/i-caught-the-guy-who-attacked-brian-krebs-he-s-selling-the-solution-now)

Someone scraped my site using residential proxies. I published the threat intelligence report. He emailed me the same day to sell his proxy detection service.

**Today:** I analyzed his infrastructure.

**What I found:** Classic C&C architecture hidden in plain sight.

Discovery Method: Certificate Transparency Logs

Certificate Transparency is public. Anyone can query it.

**Results:**

Three hidden backend subdomains. Let's test them.

queue.layer3intel.com - The Job Queue

**Finding:** Active endpoint requiring Bearer authentication.

**Question:** Why does a "proxy detection service" need a job queue with Bearer auth?

**Possible answers:**

1. **Legitimate:** Customer analytics, audit logging, service monitoring

2. **Suspicious:** C&C job tasking, data collection aggregation

3. **Very suspicious:** Command & control endpoint for distributed operations

I don't know which. I just know it's there, it's hidden from docs, and it requires authentication.

The WebSocket Pattern

From analyzing `tripwire.min.js` (their CDN-distributed code):

Architecture Flow:

**Key finding:** The core detection functionality connects DIRECTLY to OVH server, bypassing Cloudflare CDN.

**Why this matters:** Cloudflare can't log WebSocket traffic it doesn't see.

The Irony: Proxy Evasion Techniques

Let me show you what residential proxy operators do to avoid detection:

**Residential Proxy Operator Playbook:**

- ✓ Bypass CDN logging (use direct IP connections)

- ✓ Use WebSocket (harder to inspect than HTTPS)

- ✓ Hide backend infrastructure (minimize exposure)

- ✓ Use budget VPS (OVH, not AWS/Azure/GCP)

- ✓ Minify code without source maps (obfuscation)

- ✓ Keep source code private (no GitHub repo)

**What Layer3 Tripwire Does:**

- ✅ Bypasses Cloudflare CDN (WebSocket → OVH directly)

- ✅ Hides backend subdomains (queue, chronicle, spectacle)

- ✅ Uses budget VPS (OVH US LLC @ 135.148.137.76)

- ✅ Minified code, no source maps

- ✅ No GitHub repository (100% proprietary)

- ✅ Private source code (minified JavaScript only)

**A proxy detection service using the same operational security as proxy operators.**

OWASP Analysis

A01:2021 – Broken Access Control

**Finding:** `queue.layer3intel.com` exposed with HTTP 401

**Risk:**

- Backend endpoint enumerable via Certificate Transparency

- Bearer auth reveals architecture to attackers

- Can attempt token brute force (no visible rate limiting)

A05:2021 – Security Misconfiguration

**Finding:** Hidden subdomains revealed via Certificate Transparency logs

**Impact:**

- `queue.layer3intel.com` - job queue endpoint

- `chronicle.layer3intel.com` - data logging endpoint?

- `spectacle.layer3intel.com` - admin dashboard?

**Recommendation:** Separate internal/external DNS, use wildcard certs strategically

A09:2021 – Security Logging and Monitoring Failures

**Finding:** WebSocket bypasses Cloudflare CDN

**Impact:**

- Cloudflare Analytics shows JavaScript delivery from CDN

- Cloudflare Analytics CANNOT see WebSocket traffic to OVH

- No CDN access logs for actual proxy detection traffic

**The irony:** A proxy detection service avoiding detection by its own CDN provider.

Infrastructure Comparison: DugganUSA vs Layer3 Intel

I audited my own infrastructure to make sure I'm not doing the same thing.

Certificate Transparency Check (dugganusa.com):

Hidden Backend Endpoints?

**No 401 Bearer auth endpoints. No hidden job queues. No WebSocket C&C.**

GitHub Repository?

✅ **Public:** https://github.com/pduggusa/enterprise-extraction-platform

- Full source code (microservices, scripts, patterns)

- CLAUDE.md architecture documentation

- Infrastructure costs documented ($77/month)

- All subdomains explained

WebSocket Usage?

**We're clean.**

The Transparency Scorecard

| Metric | DugganUSA | Layer3 Intel |

|--------|-----------|--------------|

| **GitHub Repository** | ✅ Public | ❌ None |

| **Source Code** | ✅ Available | ❌ Minified only |

| **Hidden Subdomains** | ⚠️ 1 legacy (explained) | 🚨 3 active (unexplained) |

| **WebSocket Usage** | ✅ None | 🚨 Yes (bypasses CDN) |

| **Hidden Auth Endpoints** | ✅ None | 🚨 queue.layer3intel.com |

| **CDN Bypass** | ✅ All traffic logged | 🚨 WebSocket bypasses |

| **Infrastructure Costs** | ✅ Documented ($77/month) | ❌ Unknown (~$50-90/month) |

Flow Diagrams

What They Show You (Public Documentation):

Simple, right?

What's Actually Happening (What We Found):

The Attack Chain

**STEP 1: Initial Load**

- User visits site with Tripwire integration

- Browser requests: `https://cdn.layer3intel.com/tripwire.min.js`

- Cloudflare CDN serves minified JavaScript

**STEP 2: WebSocket C&C Connection**

- `tripwire.min.js` opens WebSocket: `wss://tripwire.layer3intel.com/ws`

- Connection bypasses Cloudflare (direct to OVH 135.148.137.76)

- Encrypted WSS tunnel established

**STEP 3: Challenge/Response**

- Server → Client: `"1234"` (random number)

- Client → Server: `"1235"` (number + 1)

- Server validates math

**STEP 4: Token Generation**

- Server → Client: JWT token

- Token contains: proxy detection result + fingerprinting data?

- JavaScript fires event: `tripwire:success`

**STEP 5: Backend Communication (Hypothesis)**

- Backend sends data to `queue.layer3intel.com` (job queue)

- Data logged in `chronicle.layer3intel.com` (database?)

- Admin monitors via `spectacle.layer3intel.com` (dashboard?)

My Questions

**To Layer3 Intel:**

1. **What is queue.layer3intel.com for?**

Why does proxy detection need a Bearer-authenticated job queue?

2. **Why bypass Cloudflare for WebSocket?**

Performance? Or hiding traffic from CDN logs?

3. **What are chronicle and spectacle subdomains?**

They have SSL certificates but no DNS records.

4. **Why no GitHub repository?**

Kevin Mitnick published tools post-prison. Transparency = credibility.

5. **Why minified code with no source maps?**

Most legitimate JavaScript security libraries publish source.

**I'm genuinely asking.** If there are legitimate explanations, I'll update this post.

My Answer

**Will I integrate Layer3 Tripwire?**

No.

**Why?**

Because when I analyze security infrastructure, I want to see:

- ✅ Public source code (GitHub repo)

- ✅ Documented architecture (all subdomains explained)

- ✅ Transparent operations (no hidden auth endpoints)

- ✅ CDN logging (all traffic visible)

**What I found instead:**

- ❌ No GitHub repository

- ❌ 3 hidden backend subdomains (discovered via Certificate Transparency)

- ❌ Bearer-authenticated job queue (unexplained)

- ❌ WebSocket bypassing CDN (hiding from logs)

**Legitimate explanation:** Standard SaaS backend architecture (analytics, logging, monitoring)

**Suspicious explanation:** C&C infrastructure for data collection/tasking

**I don't know which it is.** I just know it's there, it's hidden, and it uses the same techniques as the adversaries it claims to detect.

Pattern #21: Infrastructure Transparency Auditing

**New pattern documented.**

When someone sells you security services, audit their infrastructure first:

1. ✅ Check Certificate Transparency logs (crt.sh)

2. ✅ Enumerate all subdomains (public + hidden)

3. ✅ Test hidden endpoints (auth requirements, status codes)

4. ✅ Check for WebSocket usage (C&C patterns)

5. ✅ Look for CDN bypass (hiding from logs)

6. ✅ Search for GitHub repository (source code)

7. ✅ Compare findings to public docs

8. ✅ Document everything (radical transparency)

**Result:** You'll know if their infrastructure matches their marketing.

What Happens Next

**If this analysis is wrong:**

Sergiy (or anyone from Layer3 Intel) can email me: [email protected]

I'll publish your explanation. I'll update this post. Radical transparency cuts both ways.

**If this analysis is right:**

The timing speaks for itself:

- Oct 15-16: Someone scrapes my site (residential proxies)

- Oct 23: I publish threat intel report

- Oct 23 (same day): He emails to sell proxy detection

- Oct 24: I find hidden C&C infrastructure

**Pattern #19 (Honeytrap via Radical Transparency) keeps delivering.**

Evidence Repository

All evidence is public: https://github.com/pduggusa/enterprise-extraction-platform

**Files:**

- `compliance/evidence/threat-intelligence/layer3-tripwire-c2-infrastructure-analysis-oct-24-2025.md` (15,000 words)

- `compliance/evidence/threat-intelligence/layer3-tripwire-dns-investigation-oct-23-2025.md` (10,000 words)

- `compliance/evidence/dugganusa-vs-layer3-infrastructure-comparison.md` (8,000 words)

- `compliance/evidence/threat-intelligence/canada-residential-proxy-scraping-oct-2025.md` (11,000 words)

**Total documentation:** 44,000 words with full receipts.

Reproducible Commands

**All findings are reproducible. Here are the exact commands:**

**Run them yourself. Verify my findings.**

To Readers

**If you're hiring security vendors:**

- Check Certificate Transparency for hidden subdomains

- Test for unexplained auth endpoints

- Look for WebSocket bypass patterns

- Ask for GitHub repositories

- Verify infrastructure matches marketing

**If you're building security services:**

- Document ALL subdomains (even backend ones)

- Don't hide infrastructure from your own CDN

- Publish source code when possible

- Explain authentication endpoints in docs

- Transparency = credibility

**If you're a security researcher:**

- Certificate Transparency is public data

- OSINT is legal (no hacking required)

- Document everything you find

- Publish with epistemic humility (could be wrong)

- Invite corrections (radical transparency)

The Bottom Line

I caught someone scraping my site.

They emailed me to sell proxy detection.

I analyzed their infrastructure.

**Found:** Hidden subdomains, WebSocket bypassing CDN, Bearer-authenticated job queue, no GitHub repo.

**Looks like:** C&C infrastructure for residential proxy operations.

**Could be:** Legitimate SaaS backend architecture.

**I don't know which.** I just documented what I found.

**This is what we do for $0 budget.**

Imagine what we can do with a real one.

**P.S. - If you want to verify I'm not doing the same thing:**

My infrastructure audit is public: `compliance/evidence/dugganusa-vs-layer3-infrastructure-comparison.md`

**Findings:**

- ✅ No hidden auth endpoints

- ✅ No WebSocket usage

- ✅ All subdomains documented (even the one I forgot about)

- ✅ Full source code on GitHub

- ✅ Infrastructure costs published ($77/month)

**We're clean.**

**Update Log:**

- **Oct 24, 2025 00:15 UTC:** Initial publication

- **Awaiting:** Response from Layer3 Intel (if any)

- **Will update:** With any legitimate explanations provided

**Radical transparency = publish findings + publish corrections.**

**Related Posts:**

- [I Caught the Guy Who Attacked Brian Krebs](https://www.dugganusa.com/post/i-caught-the-guy-who-attacked-brian-krebs-he-s-selling-the-solution-now)

- Pattern #19: Honeytrap via Radical Transparency

- Pattern #21: Infrastructure Transparency Auditing (new)

1. Enumerate subdomains via Certificate Transparency

Context

Discovery Method: Certificate Transparency Logs

queue.layer3intel.com - The Job Queue

The WebSocket Pattern

Architecture Flow:

The Irony: Proxy Evasion Techniques

OWASP Analysis

A01:2021 – Broken Access Control

A05:2021 – Security Misconfiguration

A09:2021 – Security Logging and Monitoring Failures

Infrastructure Comparison: DugganUSA vs Layer3 Intel

Certificate Transparency Check (dugganusa.com):

Hidden Backend Endpoints?

GitHub Repository?

WebSocket Usage?

The Transparency Scorecard

Flow Diagrams

What They Show You (Public Documentation):

What's Actually Happening (What We Found):

The Attack Chain

My Questions

My Answer

Pattern #21: Infrastructure Transparency Auditing

What Happens Next

Evidence Repository

Reproducible Commands

To Readers

The Bottom Line

Recent Posts

Comments