DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

8 Days, 20,000 Indicators: Microsoft and AT&T Are Watching

Patrick Duggan
Dec 5, 2025
4 min read

--- title: "8 Days, 20,000 Indicators: Microsoft and AT&T Are Watching" slug: 8-days-20k-indicators-microsoft-att-watching date: 2025-12-05 author: Patrick Duggan tags: [otx, threat-intel, stix, microsoft, att, enterprise, free-feed, pattern-38, stealc, monero] category: Threat Intelligence featured: true ---

The Setup

I joined AlienVault OTX 8 days ago. Username: `pduggusa`.

Today we crossed 20,000 indicators.

The enterprise threat intel vendors charging $50K-$500K/year? They're consuming our free feed. Let me show you the receipts.

The Numbers (OTX Profile: pduggusa)

| Metric | Value | |--------|-------| | Indicators | 20,809 | | Pulses | 99 | | Subscribers | 16 | | Member Since | 8 days ago | | Contribution Rate | ~2,600 indicators/day |

One more pulse and we hit triple digits.

Who's Consuming Our Free STIX Feed?

We track every request to `analytics.dugganusa.com/api/v1/stix-feed`. Here's the last 7 days:

| Consumer ASN | Country | Requests | |--------------|---------|----------| | MICROSOFT-CORP-MSN-AS-BLOCK | US | 271 | | ATT-INTERNET4 | US | 265 | | GOOGLE-CLOUD-PLATFORM | US | 48 | | AMAZON-AES | US | 15 | | HUAWEI CLOUDS | HK | 12 | | M247 | GB/ES/NO | 27 | | TEAM-BLUE-DENMARK | DK | 7 |

799 requests from 18 countries. Microsoft and AT&T are our biggest consumers.

The same enterprise vendors who charge fortunes for threat intel are ingesting ours for free.

The 8-Year Gap We're Filling

Before running our mouths, we did competitive analysis. Here's who's NOT contributing to OTX:

| Company | OTX Presence | Why | |---------|--------------|-----| | CrowdStrike | None | Walled-garden Falcon platform, $50K-500K/year | | Recorded Future | None | Enterprise-only threat intel platform | | Palo Alto Unit42 | None | Research behind paywall | | Mandiant | None | Google-owned, enterprise consulting focus | | Proofpoint | None | Enterprise email security, no community contribution | | Cisco Talos | Minimal | Occasional blog posts, no active pulses |

The last meaningful GitHub malware pulse on OTX was from 2017. Eight years without coverage.

We're filling that gap. For free.

The Pattern 38 Story: Following the Infrastructure

Our STIX feed documents a coordinated Stealc/Rhadamanthys campaign. Here's what we found by enriching the C2 infrastructure:

The Stealc Command Throne - `149.102.156.62`

Hostname: vmi2910825.contaboserver.net
Ports: 22, 80
Vulns: CVE-2023-44487, CVE-2021-23017
Connected Samples: 25
Status: Primary C2, very active

The Zalupa Payload Forge - `158.220.93.201`

Hostname: vmi2915473.contaboserver.net
Ports: 80
Delta from Stealc: 4,648 VMs apart (same Contabo batch)
Payload Naming: Russian anatomical slang

The Monero Mining Citadel - `107.167.83.34`

Hostname: we.love.servers.at.ioflood.net
Ports: 80, 443, 3333, 5555, 7777, 8080, 9000, 18080
PassiveDNS: pool.supportxmr.com

Port 18080 is Monero RPC. This confirms dual-purpose operation: steal credentials AND mine crypto.

Kenya Build Foundry - `196.251.107.94`

Ports: 3389 (RDP!), 10050 (Zabbix)
Self-signed certs
Per-victim builds being generated

RDP access means hands-on-keyboard operators. They're not just automated—someone's logging in.

The Contabo Connection

• `vmi2910825` (Stealc C2)

• `vmi2915473` (Zalupa dropper)

That's 4,648 VMs apart. Same provisioning window, same operator, same campaign.

ThreatFox Correlation

We cross-reference with ThreatFox (abuse.ch). Latest hunt results:

• 1,191 IOCs analyzed

• 9 direct correlations with our STIX bundle

• 88 novel IOCs discovered

Our infrastructure assessments are being independently confirmed.

The Cloudflare Picture

Site Traffic (Nov 27 - Dec 3)

| Metric | Value | |--------|-------| | Pageviews | 2,262 | | Unique Visitors | 2,799 | | Requests | 48,274 | | Bandwidth | 934 MB | | Threats Blocked | 2,548 | | Countries | 54 |

Top Countries

| Country | Requests | % | |---------|----------|---| | US | 41,262 | 85.5% | | Japan | 1,389 | 2.9% | | Australia | 706 | 1.5% | | UK | 681 | 1.4% | | Singapore | 643 | 1.3% | | Canada | 622 | 1.3% | | Germany | 521 | 1.1% | | India | 464 | 1.0% |

Also tracking traffic from: Kenya, Kyrgyzstan, Palestine, Venezuela, Ethiopia, Mongolia, Georgia.

What People Are Looking Up

Our OTX enrichment API (`/api/v1/otx/enrich/ip/`) shows what threat hunters care about:

`178.128.207.138` - 70 lookups

• Reverse DNS: `eab9c05722.scan.leakix.org`

• Reality: LeakIX security scanner (like Shodan)

• In 50 pulses including ours

• Lesson: Security researchers hitting honeypots, documenting themselves

`185.177.72.11` - 54 lookups

• Location: UK

• In 8 pulses: Botnet lists, vuln exploitation sources, our Master Feed

• Ports: Just SSH

• Profile: Persistent botnet infrastructure, minimal footprint

`34.138.20.147` - 53 lookups

• Owner: Google Cloud

• Only in OUR pulse - we're the sole documenter

• Significance: We're publishing intel nobody else is

The Competitive Landscape

| Player | Subscribers | Pulses | Indicators | Notes | |--------|-------------|--------|------------|-------| | AlienVault | 350,483 | 7,893 | 566,075 | 10+ years | | pduggusa | 16 | 99 | 20,809 | 8 days | | CrowdStrike | 0 | 0 | 0 | $50K+ paywall | | Recorded Future | 0 | 0 | 0 | $100K+ paywall | | Palo Alto | 0 | 0 | 0 | Paywall |

We're 8 days in with a 2,600 indicators/day velocity. At this rate, we hit AlienVault's indicator count in 209 days.

The Christmas Message

To enterprise vendors charging $50K/year while contributing nothing to the community:

Merry Christmas. We're doing your job for free.

Your customers at Microsoft and AT&T are already consuming our feed. The question isn't whether open threat intel wins—it's how long you can justify your pricing when the alternative is free, automated, and MITRE ATT&CK enriched.

Access the Feed

STIX 2.1 Feed: `https://analytics.dugganusa.com/api/v1/stix-feed`

OTX Master Pulse: `https://otx.alienvault.com/pulse/6927d4c1611927c371ffd3cb`

OTX Profile: `https://otx.alienvault.com/user/pduggusa`

Auto-updated. Free. Forever.

*DugganUSA LLC - Minnesota. Pattern 38 ongoing. The sleeper has awoken.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]