DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

3 Hours 34 Minutes: The STIX Feed Early Warning System (With Receipts)

Patrick Duggan
Dec 24, 2025
3 min read

Category: security

The Claim

Our STIX feed provides early warning on attacks before they happen.

The Receipts

Christmas Eve 2025 Timeline (UTC)

| Time | Event | Source | |------|-------|--------| | 15:26 | ThreatFox publishes 20 Aisuru botnet C2 servers | abuse.ch | | 15:50 | DugganUSA OSINT Volley ingests IOCs | Our logs | | 15:51 | STIX feed updated with 20 new indicators | analytics.dugganusa.com | | 16:00 | OTX Pulse published | otx.alienvault.com | | 19:00 | Steam, Xbox, PlayStation, Riot, Epic go down | Global reports | | 21:00 | All 20 Aisuru C2s offline | Our probes |

Lead time: 3 hours 34 minutes.

We had the attack infrastructure indexed before the first packet flew.

Why This Works

Botnets can't attack silently. They have to stage first.

The Staging Problem (For Attackers)

1. Spin up C2 servers (DigitalOcean, Vultr, etc.)
2. Bots check in to C2s (staging traffic)
3. Wait for DNS propagation
4. Wait for bot inventory
5. Send attack command

Steps 1-4 take 3-5 hours. That's not operator laziness - it's infrastructure lag. DNS TTLs, bot check-in intervals, cloud provider boot times. The automation requires the wait.

The Leak (For Defenders)

Step 2 is where they get burned.

• Honeypots

• Malware sandboxes

• Network monitors

• Threat researchers

Someone sees bot → C2 callbacks. They report to ThreatFox. ThreatFox publishes.

The staging itself is the signal.

The IOCs

All 20 Aisuru C2 servers. All DigitalOcean. All port 8001.

167.99.40.241    192.241.151.72   157.245.34.98
188.166.172.127  165.22.204.167   159.65.206.134
206.189.201.2    152.42.133.61    138.68.191.203
157.230.216.0    104.248.162.141  159.203.99.218
138.68.148.170   159.223.12.47    134.209.123.74
188.166.80.209   24.199.86.99     46.101.38.94
104.236.220.23   134.209.22.74

Status as of 21:00 UTC: All offline. Either DigitalOcean nuked them or operators went dark.

The Math

If you subscribed to our STIX feed at 15:51 UTC:

15:51 - Your automation pulls STIX feed
15:52 - 20 IPs added to blocklist
19:00 - Aisuru attack launches
19:01 - C2 commands blocked at your perimeter
19:02 - Your players keep gaming

If you didn't subscribe:

19:00 - Attack launches
19:01 - Platforms go down
19:02 - Kids screaming, Twitter melting, SOC scrambling
21:00 - Partial recovery
21:30 - You find our blog post
21:31 - "They had this 3 hours ago?"

Who's Already Subscribed

STIX feed consumer stats (last 7 days):

| ASN | Requests | Entity | |-----|----------|--------| | ATT-INTERNET4 | 7,510 | AT&T | | MICROSOFT-CORP | 1,051 | Microsoft | | AMAZON-AES | 227 | Amazon AWS | | GOOGLE-CLOUD | 64 | Google | | GOOGLE | 37 | Google |

AT&T is pulling 7,510 times in 7 days. Microsoft is subscribed. Amazon and Google are watching.

They had the Aisuru IOCs before the attack hit.

The Product

Free Tier: https://analytics.dugganusa.com/api/v1/stix-feed

• STIX 2.1 format

• Updated hourly

• 821 IOCs currently indexed

• CC0-1.0 license (use it however you want)

What You Get:

• Botnet C2 staging detection

• 3-5 hour early warning window

• Full MITRE ATT&CK mapping

• Multi-source correlation

What We Just Added (Christmas Eve 2025):

• Staging Surge Detector (automated)

• Detects anomalous spikes in C2 publications

• Estimates attack window (T+3 to T+5 hours)

• Deployed to production during the attack

The Pattern

This isn't a one-time thing. It's the pattern:

1. Attackers stage C2 infrastructure 2. Staging traffic gets observed 3. ThreatFox publishes IOCs 4. We ingest and push to STIX feed 5. Subscribers block before attack lands

Every time they stage, they leak. Every time they leak, we catch it. Every time we catch it, subscribers are protected.

The staging is the signal. The feed is the shield.

Get The Feed

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

OTX Pulse (Aisuru IOCs): https://otx.alienvault.com/pulse/694c5004c8e2bcfb9c19c48c

Curl it: ```bash curl -s https://analytics.dugganusa.com/api/v1/stix-feed | jq '.objects | length' # 821 indicators ready to block ```

The Bottom Line

We had the Christmas Eve gaming attack infrastructure 3 hours 34 minutes before the attack.

That's not a claim. That's a timestamp.

Subscribe to the feed. Get early warning. Block before impact.

Or don't, and read about it in our blog post afterward.

Your call.

*DugganUSA LLC - Minnesota*

*"The staging is the signal."*

#aisuru #stix #threatintel #earlywarning #receipts #christmas2025

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa