DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

$568 for a VM Escape: Finding MAESTRO on GitHub

Patrick Duggan
Jan 10
3 min read

The Follow-Up

Earlier today I wrote about MAESTRO, the VMware ESXi VM escape toolkit that Chinese-speaking threat actors have been using since at least February 2024. Huntress published solid research on the toolkit, noting it was "likely being sold privately through closed channels rather than public underground markets."

So I went looking on GitHub.

What We Found

Within minutes of searching, we found a public sales channel.

Repository: XiaomingX/data-cve-poc

This repo describes itself as collecting "all CVE exploits found on GitHub" and has 605 stars and 11,000+ followers. The maintainer claims to work at X (formerly Twitter) and lists a Japanese location with a Chinese company (Jobleap.cn).

Inside the repo, at 2025/CVE-2025-22224/README.md:

Exploit Availability: Not public, only private.
Contact: [email protected]
Download: https://tinyurl.com/34h77mfz

Following the Money

That tinyurl redirects to:

https://satoshidisk.com/pay/CO13UZ

SatoshiDisk is a Bitcoin paywall service. For the low price of $568.25 USD (0.00511552 BTC), you get:

File	Size
CVE-2025-22224.zip	5.78 KB
README.txt	0.71 KB

The description matches the CVE exactly: "a critical vulnerability involving a Time-of-Check Time-of-Use (TOCTOU) flaw that enables an out-of-bounds write" affecting VMware ESXi.

The Infrastructure

IOC	Details
Seller email	[email protected]
Domain	thesecure.biz
Registrant	Czech Republic, privacy-protected (2016)
Payment platform	satoshidisk.com
Platform IPs	172.67.221.90, 104.21.75.108 (Cloudflare)
Referrer repo	github.com/XiaomingX/data-cve-poc

SatoshiDisk's terms include a helpful disclaimer: they "cannot check uploaded data due to local encryption" and are "not responsible for the content."

Plausible deniability as a service.

The Laundering Pattern

Here's how it works:

Legitimate-looking GitHub "security research" repo
    ↓
README with CVE details + contact email + tinyurl
    ↓
TinyURL redirect (obscures destination)
    ↓
SatoshiDisk Bitcoin paywall
    ↓
Crypto payment, no refunds, encrypted delivery

GitHub provides the SEO and credibility. TinyURL provides the redirect. SatoshiDisk provides the payment processing and deniability. Everyone's hands are clean.

The repo has 11,000 followers. It looks like a legitimate security research collection. Most of the entries probably are legitimate PoC references. But buried in there is a storefront for a CVSS 9.3 VM escape exploit that's on CISA's Known Exploited Vulnerabilities list.

Real or Scam?

Could be either:

Real exploit - MAESTRO or a derivative, 5.78KB is plausible for a compact exploit chain
Scam - Empty zip or garbage, collect Bitcoin, disappear
Honeypot - Real exploit wrapped in malware/backdoor
All of the above - Different buyers get different packages

The 5.78KB size is interesting. Too small for a full toolkit with MyDriver.sys and VSOCKpuppet. Could be just the core exploit without the persistence components. Could be a loader that fetches the rest. Could be nothing.

Either way, someone is making money.

The Bigger Picture

Huntress said MAESTRO was being sold "through private channels." They weren't wrong - but there's also a public storefront operating in plain sight on the world's largest code hosting platform.

This is the exploit economy in 2026:

GitHub for distribution and SEO
TinyURL for redirect obfuscation
SatoshiDisk for Bitcoin payments
Cloudflare for infrastructure protection
Czech privacy registration for WHOIS

All legal services. All being chained together to sell a weapon.

CVE-2025-22224 has 30,000+ vulnerable ESXi instances exposed to the internet. For $568, anyone with Bitcoin can potentially buy the keys.

What We Did

Documented the full chain with receipts
Generated a GitHub abuse report (manual submission required)
Indexed the IOCs into our threat intel feed
Published this post

IOCs

# Seller Infrastructure
[email protected]
thesecure.biz

Report It

If you want to help get this taken down:

GitHub: https://github.com/contact/report-abuse
Repository: github.com/XiaomingX/data-cve-poc
Specific file: 2025/CVE-2025-22224/README.md

The more reports, the faster it comes down. Though they'll just pop up somewhere else.

That's the game.

Her name is Renee Nicole Good.