DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

35 Ransomware Victims in 48 Hours. Happy Easter From Lapsus$, DragonForce, and TheGentlemen.

Patrick Duggan
6 days ago
4 min read

While you were hiding eggs, three ransomware groups were dumping victims.

35 organizations posted to leak sites in the last 48 hours. Easter weekend. Passover running concurrently since April 1. Christian and Jewish holidays overlapping for the first time in years. SOC teams at skeleton crew. IT departments closed until Monday.

The attackers know your calendar better than you do.

The Body Count

Between April 4 and April 5, 2026, three ransomware groups posted 35 new victims across 14 countries:

Lapsus$ dropped four victims on Good Friday:

AstraZeneca — one of the world's largest pharmaceutical companies

French Ministry of Agriculture — a sovereign government target

University of Lille — French academic institution, doors closed for holiday

VirtaHealth — American healthcare company, patients don't get holidays

TheGentlemen posted sixteen victims in a single day across nine countries — France, Italy, Austria, Hong Kong, Japan, the United States, Thailand, Czech Republic, and Indonesia. That's not targeted. That's a carpet bomb while the security industry is at church.

DragonForce hit five organizations including a Thai manufacturer, an Egyptian pharmaceutical company, and an Indian chemical company.

Nova, Play, Anubis, and Krybit rounded out the weekend with additional victims spanning Poland, Indonesia, the UK, the US, Australia, and Botswana.

Why Holidays

This isn't new. It's just invisible to most people.

Ransomware operators time their attacks to holidays and weekends because that's when your defenses are weakest. The math is simple:

Staffing drops 80-90%. One in five organizations runs a skeleton crew on holidays, cutting security staff by as much as 90%. The people who would notice the intrusion are home with their families.

Response times multiply. When the alert fires at 2 AM on Easter Sunday, who's answering the phone? The on-call engineer who's been at dinner, not the senior analyst who knows where the crown jewels live.

Dwell time extends. Attackers who breach networks before holidays have three to four days of unmonitored lateral movement before anyone notices. By Monday morning, they've already exfiltrated the data and encrypted the drives.

Patch windows open. Fortinet disclosed a critical zero-day in FortiClient EMS (CVE-2026-35616) on Friday, April 4 — the day before Easter. Emergency hotfix available. How many IT teams are patching on Easter weekend? That's the point.

Last Easter, a UK retailer lost £300 million in market value after Scattered Spider and DragonForce hit them during the holiday weekend. The attackers had days of uncontested access. The company was on pen and paper for six weeks.

What You're Not Seeing

The 35 victims posted this weekend are the ones we know about. These are the organizations whose data appeared on ransomware leak sites — meaning they refused to pay and the attackers are publishing stolen files to pressure them.

The organizations that paid? You'll never hear about them. Industry estimates suggest that for every victim posted publicly, three to five pay quietly and disappear from the record. That puts the real Easter weekend toll somewhere between 100 and 175 organizations.

That's happening right now. While the ham is in the oven.

The Calendar Weapon

Easter and Passover overlap this year. That means Christian-majority countries AND Israel-connected organizations are simultaneously at reduced staffing. Ramadan ended March 18, but the post-Ramadan operational tempo for certain threat actors historically spikes in the following weeks.

The Abrahamic calendar isn't just a cultural artifact. It's an attack surface. Three religions, three holiday schedules, three windows of reduced defense — and this year, two of them overlap.

Ransomware operators don't care about your theology. They care about your staffing calendar.

What You Can Do Right Now

If you're reading this on Easter Sunday, you're probably not the person who needs to hear it. But forward it to your CISO. Here's the checklist:

Tonight:

Check your EDR dashboard. Right now. Look for anything that fired since Friday.

Verify your backups ran. If ransomware hit tonight, could you restore Monday morning?

Confirm your on-call rotation. Is someone actually answering?

Monday morning:

Patch CVE-2026-35616 (FortiClient EMS) before your coffee. Hotfix is available for 7.4.5 and 7.4.6. Active exploitation confirmed in the wild.

Review access logs from the holiday weekend. Look for unusual authentication, lateral movement, or data exfiltration patterns between Friday 5 PM and Monday 8 AM.

Check if your threat feed updated over the weekend. If your STIX feed stopped pulling, you were flying blind.

This quarter:

Staff your holidays. A skeleton crew is an invitation. Budget for holiday SOC coverage the way you budget for insurance — the cost of coverage is cheaper than the cost of the claim.

Automate your detection. The humans go home. The automation doesn't. If your detection relies on an analyst watching a dashboard, you don't have detection — you have hope.

Our Feed Didn't Take Easter Off

Our STIX feed serves 275+ organizations in 18 countries. It updated automatically this weekend. The IOCs from Friday's Fortinet disclosure, the exploit patterns from our GitHub harvester, and the scanner IPs from our edge honeypots all flowed to every consumer without a human touching it.

Our automated threat decisions hit 6 million this week. No skeleton crew required. The machine doesn't celebrate Easter.

Point your SIEM at it:

Free tier: analytics.dugganusa.com/stix/register (https://analytics.dugganusa.com/stix/register)

35 victims in 48 hours. Three ransomware groups. Fourteen countries. Easter weekend.

Your SOC is at 10% staffing. The attackers are at 100%.

The calendar is a weapon. Defend accordingly.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.