DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

CL-UNK-1068: The C2 Hunt Unit 42 Didn't Finish

Name: CL-UNK-1068 C2 Enrichment Data
Creator: DugganUSA

Patrick Duggan
Mar 10
5 min read

On March 5, 2026, Palo Alto's Unit 42 published research on a Chinese-speaking espionage cluster they designated CL-UNK-1068. Active since at least 2020. Targeting aviation, energy, government, pharma, and telecom across South and Southeast Asia.

They published the IOCs. Seven C2 IPs. Thirty SHA256 hashes. Two malware families. Then they moved on.

We didn't.

What Unit 42 Published

The basics. CL-UNK-1068 uses:

- **GodZilla and AntSword web shells** — commodity Chinese-language web shells for initial access

- **ScanPortPlus** — a custom Go-based port scanner they wrote themselves

- **Modified FRP tunneling** — with hardcoded auth token `frpforzhangwei` and password `f*ckroot123` (yes, really)

- **Xnote** — a custom Linux backdoor

- **Sliver C2** — open-source command and control framework

- **Mimikatz + LsaRecorder** — credential dumping

- **PwnKit (CVE-2021-4034)** — privilege escalation on Linux

Solid research. Good IOCs. But they stopped at the indicators.

We enriched every single one through six intelligence sources simultaneously. Here's what they missed.

PEG TECH INC: The Hosting Provider Nobody Talks About

Three of seven CL-UNK-1068 C2 IPs sit on **PEG TECH INC** (AS54600). A US-registered hosting company that allocates its IPs to Singapore and Hong Kong.

PEG TECH isn't just hosting CL-UNK-1068. Our index shows:

- **49,227 hits** across our 37 indexes for the 107.148.x range

- **7,218 block events** — IPs from this range hitting our honeypots

- **4,660 IOCs** — other malware families sharing this infrastructure

- **Vidar stealer C2** running on 107.148.158.43 — same /24 as CL-UNK-1068's 107.148.130.22

PEG TECH was linked to the **Anthem breach** — 80 million health records stolen in 2015. The company has repeatedly refused to disclose its customers to researchers.

Unit 42 published the IPs. They didn't tell you who's hosting them, what else runs on that infrastructure, or that the same ASN was implicated in the largest healthcare breach in American history.

We did. Because we have 11 million documents and a cross-correlation engine that doesn't stop at the IOC boundary.

The Three C2 IPs Unit 42 Didn't Enrich

107.148.33.60

PEG TECH. Six VirusTotal engines flag it malicious (ADMINUSLabs, BitDefender, ESTsecurity, Fortinet, G-Data, SOCRadar). Zero AbuseIPDB reports. Zero community detection. A known C2 with zero abuse reports — that's the gap.

107.148.51.251

PEG TECH. Running nginx. Hostname: `hsstmg18.cokapro.com`. Ports 135 (RPC), 445 (SMB), and 8888 (proxy/management). The hostname resolves to a domain with no legitimate web presence — classic throwaway infrastructure.

107.148.130.22

PEG TECH. Running nginx on port 80. Five VT detections. Shares a /16 with 107.148.158.43 — a confirmed **Vidar stealer C2** on the SSL Blacklist. Same hosting provider. Same network. Different threat actor. PEG TECH doesn't care who's renting.

The Fortinet Device in Bulgaria

**79.141.169.123** — allocated to Hong Kong, registered to "Vilko Damianov" at an address in Plovdiv, Bulgaria. The hosting company is HZ Hosting Ltd.

Shodan shows:

- **FortiOS** running on this box (CPE: `cpe:/o:fortinet:fortios`)

- Ports 135, 137, 443, 445, 541, 10026, 10028, 10443

- SMB services exposed alongside Fortinet management interfaces

- Six VT engines flag it malicious, including **Viettel Threat Intelligence** — Vietnam's national telco

The Spamhaus DROP list includes the 79.141.x range as **hijacked networks**. Nine OTX pulses reference this IP.

A Chinese espionage group. Running a Fortinet device. Registered under a Bulgarian name. Allocated to Hong Kong. On a hijacked network range.

That's not an IOC. That's a counterintelligence case study.

The AWS Cover Story

Two C2 IPs sit on legitimate AWS Singapore infrastructure:

- **13.250.108.65** — LIVE. Responding HTTP 200. Running WordPress on Apache. Reverse DNS confirms EC2. Zero AbuseIPDB reports. Three VT detections.

- **52.77.253.4** — DEAD. Connection timeout. Likely decommissioned after the Unit 42 publication.

Mixing C2 infrastructure with legitimate cloud providers isn't new. But having a WordPress site actively serving content from a known C2 IP — with zero community abuse reports — demonstrates exactly how these groups maintain operational longevity. They look normal. The abuse databases say they're clean. VirusTotal has three detections out of 94 engines.

If your detection strategy relies on abuse scores and blocklists, you're blind to this.

The Smartcoverage Problem

**43.255.189.67** — the highest VirusTotal detection rate of all seven (7/94 engines), including Viettel Threat Intelligence. Hostname: `sma67.smartcoveragechoice.com`. Hosted by Internet Utilities NA LLC.

"Smart Coverage Choice" is not a real insurance company. It's infrastructure dressed up as a business — a pattern we've documented across hundreds of threat actors. Register a domain that sounds legitimate. Point your C2 at it. Let the hosting provider's reputation absorb the risk.

Internet Utilities NA LLC is a known reseller for bulletproof hosting. This is where C2 infrastructure goes when PEG TECH is too hot.

Zero AbuseIPDB Across All Seven

This is the finding that matters most.

Seven confirmed C2 IPs used by a Chinese espionage group active for six years across five industry verticals in multiple countries. VirusTotal detects 3-7 of them depending on the IP. Unit 42 published research on them. And **AbuseIPDB has zero reports on any of them**.

Zero. Not low. Zero.

The community detection model failed. These IPs operated for years without a single abuse report. The threat intelligence ecosystem — the one that charges enterprises six figures a year for "comprehensive coverage" — missed all seven.

Our STIX feed didn't miss them. We ingested 22 STIX objects within hours of the Unit 42 publication. 275 consumers in 46 countries had the indicators before most commercial feeds finished their editorial review cycle.

What We Ingested

- **1 threat actor profile** — CL-UNK-1068, Chinese-speaking, espionage motivation

- **2 malware family records** — GodZilla web shell, ScanPortPlus scanner

- **7 IPv4 indicators** — all C2 IPs with full enrichment

- **30 SHA256 hash indicators** — malware samples across the toolset

- **Relationship mappings** — threat actor → malware → indicators

All searchable. All cross-referenced against 11 million documents, 3.3 million ICIJ relationship edges, and 938K+ IOCs.

Search them: `CL-UNK-1068` at [analytics.dugganusa.com](https://analytics.dugganusa.com)

The Enrichment Stack

Every IP was enriched through six sources simultaneously via our `/api/v1/threat-intel/enrichment` endpoint:

| Source | What It Told Us |

|--------|----------------|

| **AbuseIPDB** | Nothing. Zero reports on all 7. Community blind spot. |

| **VirusTotal** | 3-7/94 engines per IP. BitDefender, Fortinet, SOCRadar leading detection. |

| **Shodan** | FortiOS on 79.141.169.123. Nginx on PEG TECH IPs. SMB exposure. |

| **OTX** | 0-9 pulses per IP. 79.141.169.123 most referenced (9 pulses). |

| **GreyNoise** | Rate limited during scan — but absence of GreyNoise data means these IPs aren't mass-scanning. Targeted operations. |

| **DugganUSA** | 49,227 hits for PEG TECH range. Vidar C2 neighbor. Spamhaus DROP on 79.141.x. Our STIX bundle. |

One API call. Six sources. Fifteen seconds. Try that with a manual investigation.

Why This Matters

Unit 42 does good work. Their IOCs are accurate. Their malware analysis is thorough.

But publishing IOCs without infrastructure analysis is like publishing a suspect's fingerprints without checking who owns the building they were found in.

PEG TECH hosts Chinese espionage and Vidar stealers on the same network. The Fortinet device in Bulgaria is registered under a false name on hijacked IP space. The AWS instances are clean enough to fool every abuse database on the internet.

That's not a list of indicators. That's an infrastructure map. And infrastructure maps are what defenders actually need.

*22 STIX objects. 7 enriched C2 IPs. 275 consumers protected. Zero editorial delay.*

*STIX feed: [analytics.dugganusa.com/api/v1/stix-feed](https://analytics.dugganusa.com/api/v1/stix-feed)*

*Search CL-UNK-1068: [analytics.dugganusa.com](https://analytics.dugganusa.com)*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*