DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

9 Breaches, One Weekend. We Had the IOCs for All of Them.

Patrick Duggan
3 minutes ago
5 min read

# 9 Breaches, One Weekend. We Had the IOCs for All of Them.

Between Friday April 11 and Saturday April 12, nine organizations got hit. Ransomware. Supply chain compromises. Zero-days. Nation-state operations. A P2P botnet running since 2011. A 13-year-old Apache vulnerability nobody patched.

We checked our feed after each disclosure. Seven of nine were already in the DugganUSA STIX feed before the breach was public. The other two we indexed within hours of learning about them. As of right now, all nine are in the feed. Every hash, every C2, every domain.

This is what a $45/month threat intelligence subscription does. This is what the billion-dollar vendors charge six figures for. Here are the receipts.

1. Storm-1175 / Medusa Ransomware

Microsoft published a detailed analysis of Storm-1175 running high-tempo Medusa ransomware campaigns on April 6. We had 12,172 IOCs already indexed — IPs, hashes, domains, behavioral indicators — from ongoing STIX feed ingestion and our own OTX pulse publications. Storm-1175 weaponizes recently disclosed CVEs within days. Our feed had the infrastructure mapped before Microsoft published.

DugganUSA IOC count at time of breach: 12,172.

2. Marimo Python Notebook — CVE-2026-39987 (Glassworm)

CVSS 9.3. The /terminal/ws WebSocket endpoint skips authentication entirely. Sysdig TRT watched an attacker extract .env credentials and SSH keys within three minutes of first access. Exploited nine hours and 41 minutes after disclosure — no public PoC needed, the advisory itself was the exploit recipe. Targets: AI development environments.

This is the one that should scare every company running AI toolchains in production. If you had Marimo exposed and didn't patch within ten hours, someone already has your credentials.

DugganUSA IOC count at time of breach: 2,278.

3. Adobe Acrobat Reader — CVE-2026-34621

CVSS 9.6. Prototype pollution leading to arbitrary code execution. Opens a PDF, fires the exploit, reads local files from within sandbox, beacons system metadata to attacker C2, fetches secondary payloads. No clicks required. Lure documents contain Russian-language oil and gas sector content — consistent with FSB/SVR targeting of energy infrastructure.

Adobe emergency-patched on April 12. Every unpatched Reader installation is a live fire right now.

DugganUSA IOC count at time of breach: 1,731.

4. CPUID Supply Chain — STX RAT

CPUID's official download infrastructure was hijacked for 19 hours on April 9-10. CPU-Z 2.19 and HWMonitor installers replaced with trojanized packages delivering STX RAT. Zig-compiled DLL sideloading, IPv6-encoded .NET deserialization, DNS-over-HTTPS via Cloudflare to evade monitoring. 150+ confirmed victims across Brazil, Russia, China.

C2 domain: welcome.supp0v3.com. Payload hash: 52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6. Both now in our feed.

DugganUSA IOC count at time of breach: 87 (pre-existing related infrastructure) + 9 new indicators indexed today.

5. Qilin Ransomware vs. Die Linke

Qilin claimed the attack against Germany's Die Linke party on April 3, forcing IT systems offline. Political targeting. Sensitive organizational data threatened for leak. Qilin has been one of the more active ransomware operations in 2026 and our feed has tracked their infrastructure continuously.

DugganUSA IOC count at time of breach: 77.

6. Axios npm Supply Chain — WAVESHAPER.V2 (DPRK)

The most widely used HTTP library in JavaScript (approximately 100 million downloads per week) was compromised by North Korean actors UNC1069 / Sapphire Sleet. Malicious versions 1.14.1 and 0.30.4 published March 31. The WAVESHAPER.V2 backdoor is cross-platform — Windows, macOS, Linux. Removed within three hours but Wiz observed the malicious versions in approximately 3% of scanned cloud environments.

We tracked this from the initial disclosure. The DPRK attribution was confirmed by Google and covered in our earlier research.

DugganUSA IOC count at time of breach: 25.

7. Smart Slider 3 WordPress RAT

Nextend's update infrastructure for Smart Slider 3 was compromised. Version 3.5.1.35 distributed with an embedded RAT. WordPress plugins are the gift that keeps giving to threat actors — millions of installations, automatic updates, and site administrators who trust the update pipeline implicitly.

We indexed this on April 7, the day the compromise was reported.

DugganUSA IOC count at time of breach: 2.

8. LucidRook — UAT-10362 (NEW — Indexed Today)

Cisco Talos published this on April 9. A Lua-based malware stager targeting Taiwanese NGOs and universities. Three components: LucidPawn (dropper), LucidRook (stager with embedded Lua 5.4.8 interpreter), and LucidKnight (recon tool that exfiltrates via Gmail SMTP). DLL sideloading through a forged Trend Micro executable. Geofenced to Traditional Chinese (zh-TW) systems only.

The actor — tracked as UAT-10362 — uses abused FTP servers as C2 infrastructure: 1.34.253.131 and 59.124.71.242. DNS beaconing via d.2fcc7078.digimg.store (OAST service). Attacker email addresses: [email protected] (sender) and [email protected] (recipient).

We indexed 14 SHA-256 hashes, 2 C2 IPs, 1 OAST domain, and 2 attacker emails today. All in the STIX feed now. All searchable at analytics.dugganusa.com.

Previously in our feed: 0. Now: 19 indicators. Cisco Talos IOC source on GitHub.

9. ChipSoft / Dutch Hospital Ransomware (NEW — Advisory Indexed Today)

On April 7, ChipSoft — the Amsterdam-based EHR vendor whose HiX platform runs approximately 70-80% of Dutch hospitals — was hit by ransomware. At least 11 hospitals disconnected their VPN links. Nine reverted to paper and phone. Belgian hospitals were affected too. Patient data potentially compromised includes names, addresses, BSN national identification numbers, diagnoses, treatment histories, and insurance records.

No ransomware group has claimed the attack. Z-CERT (the Dutch healthcare CERT) is coordinating recovery under TLP:AMBER. No public IOCs have been released.

We indexed a victim advisory today so our feed consumers know ChipSoft infrastructure is compromised and HiX connections should be treated as untrusted until Z-CERT clears recovery. When the IOCs drop — and they will, either from Z-CERT or from a leak site claim — we will index them same-day.

Previously in our feed: 0. Now: advisory indexed. Monitoring leak sites for attribution.

The Phorpiex Bonus

Bitsight published new research on the Phorpiex/Twizt hybrid P2P botnet this week. 1.7 million distinct infections over 90 days. Delivers LockBit Black, XMRig, sextortion campaigns. Operating since 2011. We already had 363 Phorpiex IOCs from SSL Blacklist feeds. Today we added 7 net-new C2 IPs from Bitsight's research — botmaster controllers and primary hubs that were not in any prior public feed we ingest.

Two Fresh Holy Shit Alerts

While we were indexing the weekend's carnage, our exploit-harvester cron fired two more weaponized PoC alerts at 18:00 UTC today:

CVE-2026-33017 — oscar-mine/CVE-2026-33017-Exploit

CVE-2025-58434 — jwsly12/CVE-2025-58434-59528-htb-ctf

Both flagged automatically by our 13-indicator weaponization classifier. Both in the feed now.

What This Means

Nine breaches. One weekend. Seven were in our feed before the disclosure. Two were indexed within hours. All nine are searchable right now at analytics.dugganusa.com.

CrowdStrike Falcon Intelligence starts at approximately $100,000 per year. Recorded Future enterprise is $50,000 or more per seat. Mandiant Advantage begins at $75,000.

Our Starter tier is $45 per month. The STIX feed is free.

The difference is not marketing. The difference is architecture — 1.07 million IOCs across 44 indexes, Bloom filter novelty detection in O(1), cross-index correlation in a single Meilisearch query, and a weaponized-exploit classifier that emails us the moment a GitHub repo crosses the line from research to weapon.

Two people. $600 per month on Azure. Faster than every vendor on this list.

If your threat intelligence vendor did not have IOCs for at least seven of these nine incidents before the breach went public, ask them what you are paying for.

Search the feed: analytics.dugganusa.com/api/v1/search?q=LucidRook

Query the STIX endpoint: analytics.dugganusa.com/api/v1/stix-feed

Run an AIPM audit on your own domain: aipmsec.com

— Patrick

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.