DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Cloud Espionage in the Crosshairs: How Murky Panda Is Weaponizing Entra ID Trust

Patrick Duggan
Aug 29, 2025
2 min read

The Problem: Cloud Trust & Tech Debt Is Being Weaponized

In a chilling escalation of cloud-native espionage, Chinese threat actor Murky Panda (aka Silk Typhoon) has shifted tactics from zero-day exploitation to abusing trusted relationships in Microsoft Entra ID tenants. The group has been observed compromising upstream suppliers and using their administrative access to inject backdoor accounts and hijack service principals—all without triggering traditional security controls.

This isn’t just a supply chain problem. It’s a cloud control plane compromise, and it’s happening in live environments.

Attack Anatomy

Initial Access: Exploits like CVE-2023-3519 (Citrix) and CVE-2025-3928 (Commvault)
Persistence: Web shells (neo-reGeorg) and custom malware (CloudedHope)
Privilege Abuse: Creation of temporary Entra ID accounts with elevated roles
Service Principal Hijack: Backdooring existing app identities tied to AD and email
Stealth: Timestamp manipulation, indicator deletion, and SOHO exit nodes

Murky Panda isn’t alone. Genesis Panda is querying Instance Metadata Services (IMDS) to extract credentials and pivot laterally, while Glacial Panda is targeting legacy telecom stacks with trojanized OpenSSH binaries.

The common thread? Cloud-native blind spots—especially in identity governance, legacy protocol exposure, and trust boundaries.

The Solution: Entra ID Hardening Checklist

Mapped to NIST SP 800-53 Rev. 5 | Based on Microsoft’s secure architecture guidance

🔐 Control Area	NIST Control	Action Item	Urgency
Access Control	AC-2, AC-3, AC-5	Disable legacy auth protocols (SMTP, POP3, IMAP4, BAV2ROPC)	🔥 Immediate
	AC-6	Enforce least privilege on service principals	🔒 Critical
	AC-17	Apply Conditional Access to all identities (users + workloads)	🛡️ High
Identification & Authentication	IA-2, IA-5	Enforce MFA and passwordless auth (FIDO2, TAP)	🚨 Non-negotiable
	IA-9	Monitor non-interactive sign-ins and app-only tokens	👀 Continuous
Audit & Accountability	AU-2, AU-6	Enable sign-in logs and audit service principal activity	📊 Daily
	AU-12	Integrate with Sentinel and Defender for Identity	🧠 Smart move
System & Communications Protection	SC-12, SC-28	Rotate secrets/certs for service principals regularly	🔁 Scheduled
	SC-7	Restrict partner org access and enforce trust boundaries	🧱 Structural
Configuration Management	CM-2, CM-6	Use managed identities instead of service principals	🧰 Modernize
Risk Assessment	RA-5	Simulate attacks with EntraGoat or Red Team tooling	🧪 Proactive

Playbook: Responding to Entra ID Abuse

Legacy Auth Exploitation

Detect: Sign-in logs show legacy protocol usage
Contain: Block via Conditional Access immediately
Remediate: Rotate credentials, enforce MFA, notify users
Recover: Validate policy coverage and disable fallback methods

Service Principal Hijack

Detect: App-only sign-ins from unknown IPs or odd hours
Contain: Revoke credentials, disable compromised principal
Remediate: Audit permissions, rotate secrets, apply workload identity policies
Recover: Revalidate app registrations and enforce secure ownership

Final Word

This isn’t a theoretical risk—it’s an active campaign. If your Entra ID tenant isn’t hardened against these tactics, you’re not just vulnerable—you’re already late. The time to act is now.