DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

A Stealer-as-a-Service Panel Hiding Behind Cloudflare

Patrick Duggan
Dec 19, 2025
4 min read

--- title: "We Found stealer.su: A Live Malware-as-a-Service Panel Nobody's Talking About" slug: stealer-su-maas-panel-discovered date: 2025-12-19 author: Patrick Duggan tags: [threat-intelligence, malware, stealer, maas, osint, russia, stix] category: Threat Intelligence featured: true story_density_target: 120.9 ---

December 19, 2025 - While sweeping our threat feeds for fresh IOCs, PreCog flagged something interesting: `stealer.su`. A domain so on-the-nose it almost sounds fake.

It's not fake. It's a live malware-as-a-service login portal. And nobody's talking about it.

The Discovery

First seen: December 18, 2025 at 09:40:29 UTC

Our PreCog Sweep - an automated OSINT harvester that pulls from ThreatFox, OpenPhish, and AlienVault OTX - flagged `stealer.su` as a novel IOC. Hours later, ThreatFox tagged it:

Type: domain
Description: Unknown Stealer - botnet_cc
BDE Score: 85 (high confidence malicious)

Then we found the login portal: `https://stealer.su/login`

A literal credential stealer control panel. Live. Operational. Accepting logins.

The Infrastructure

DNS Resolution

stealer.su → 172.67.170.252, 104.21.87.222

Both IPs are Cloudflare. The operators are using Cloudflare to hide their origin server - standard practice for malware infrastructure that wants to stay up.

Certificate Transparency

Checking crt.sh reveals:

| Certificate | Issuer | First Seen | |-------------|--------|------------| | *.stealer.su | Google Trust Services WE1 | Oct 10, 2025 | | *.stealer.su | Google Trust Services WE1 | Dec 8, 2025 |

A wildcard certificate. They're planning for subdomains. This isn't a throwaway domain - it's infrastructure.

WHOIS

The `.su` TLD is the Soviet Union legacy domain, administered by ROSNIIROS (Russian Institute for Development of Public Networks) in Moscow. Domain registration details are privacy-protected, but the TLD choice is telling.

Related Infrastructure

The same ThreatFox hunt that caught `stealer.su` pulled related stealer infrastructure:

| Domain | Type | Description | |--------|------|-------------| | stealer.su | domain | MaaS login portal | | xn--uck9ds92mmxh.net | domain | Payload delivery | | webmail.super77a.com | hostname | Payload delivery | | wap.aslyjx.com | hostname | Payload delivery | | yell.npaym.com | hostname | Payload delivery |

That punycode domain? It decodes to ゴミ屋敷.net - Japanese for "garbage house" or "hoarder house." Either the operators have a sense of humor, or their domain generator created accidental poetry.

What Is This?

Malware-as-a-Service (MaaS) panels like `stealer.su` are the backend for credential theft operations. The typical model:

1. Operator rents access to the panel 2. Operator deploys stealers via phishing/malvertising 3. Victims get infected, credentials exfiltrated 4. Credentials appear in the panel for the operator 5. Operator sells or uses the stolen data

The login portal at `/login` is where operators authenticate to access their stolen credential dashboard.

Why This Matters

1. It's Brazenly Named

• Operators confident in their infrastructure's resilience

• A relatively new operation still building reputation

• A honeypot (though ThreatFox's tagging suggests real malware association)

2. It's Behind Cloudflare

Cloudflare's abuse team is generally responsive, but takedowns take time. Meanwhile, the panel stays up.

3. It's Using Legitimate Certificate Authorities

Google Trust Services issued the wildcard cert. The infrastructure looks "legitimate" to automated systems.

4. Nobody's Reporting It

As of this writing, `stealer.su` has minimal coverage. Our PreCog Sweep caught it via ThreatFox correlation, but it hasn't hit mainstream threat intel feeds or security news.

The Evidence

Query Our Index

curl "https://analytics.dugganusa.com/api/v1/search?q=stealer.su"

IOC List

stealer.su
https://stealer.su/login
172.67.170.252
104.21.87.222
xn--uck9ds92mmxh.net (ゴミ屋敷.net)
webmail.super77a.com
wap.aslyjx.com
wap.sdkqgs.com
yell.npaym.com

STIX Feed

All IOCs available in our free STIX 2.1 feed:

curl "https://analytics.dugganusa.com/api/v1/stix-feed"

Recommendations

• Block `stealer.su` and associated infrastructure at your perimeter

• Monitor for DNS queries to `.su` domains generally (low legitimate traffic)

• Check logs for connections to 172.67.170.252 / 104.21.87.222 (note: Cloudflare IPs host many domains)

• Abuse report submitted

• This is why automated threat feed correlation matters. PreCog caught this 24 hours before we manually investigated. The machines are faster than us.

The Bigger Picture

We've published three threat intel posts in the last 24 hours:

1. Mintlify XSS Downstream Exploitation - 121 IOCs captured 38 days after disclosure 2. GitHub Hydra Factory - Discord stealer network mapped via stargazer analysis 3. This post - A MaaS panel nobody's talking about

All of this came from the same pipeline: automated harvesting → Meilisearch indexing → human pattern recognition → publication.

The threat landscape moves fast. Automated detection with human analysis is how you keep up.

Timeline

| Date | Event | |------|-------| | Oct 10, 2025 | First wildcard cert issued for *.stealer.su | | Dec 8, 2025 | Second cert issued (renewal or new) | | Dec 18, 2025 09:40 UTC | PreCog Sweep first detection | | Dec 18, 2025 11:50 UTC | ThreatFox tags as "Unknown Stealer - botnet_cc" | | Dec 19, 2025 | DugganUSA investigation and publication |

*We found a malware-as-a-service panel called stealer.su. It has a login page. It's behind Cloudflare. It's using the Soviet Union TLD. And until now, nobody was talking about it.*

*Come at us with facts, not feelings.*

Get Free IOCs

Subscribe to our threat intelligence feeds:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

A Stealer-as-a-Service Panel Hiding Behind Cloudflare

The Discovery

The Infrastructure

DNS Resolution

Certificate Transparency

WHOIS

Related Infrastructure

What Is This?

Why This Matters

1. It's Brazenly Named

2. It's Behind Cloudflare

3. It's Using Legitimate Certificate Authorities

4. Nobody's Reporting It

The Evidence

Query Our Index

IOC List

STIX Feed

Recommendations

The Bigger Picture

Timeline

Get Free IOCs

Get Free IOCs

Recent Posts

Comments