DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

CPUID Got Hit for 19 Hours. We Had the C2 in Our Feed By Day Two.

Patrick Duggan
14 minutes ago
4 min read

Every IT person on Earth has downloaded CPU-Z or HWMonitor at some point. Hardware nerds, overclockers, support techs, forensic investigators — the tools are free, they're signed, they come from a French company called CPUID that nobody thinks twice about. Trust is the whole product.

On April 9, 2026 at 15:00 UTC, attackers flipped the download links on cpuid.com. For the next 19 hours, anyone clicking "Download" on CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, or PerfMonitor 2.04 got a trojanized installer instead of the real one. The signed binaries on CPUID's servers were never touched. The attackers didn't need them. They owned the links.

CPUID pulled the plug around April 10, 10:00 UTC. Kaspersky says at least 150 victims got hit in that window — individuals mostly, but also organizations in retail, manufacturing, consulting, telecom, and agriculture, concentrated in Brazil, Russia, and China.

This is Pattern 38. Trusted distributor, poisoned link, signed-looking payload. We've been writing about this pattern for four months. Here's what made this one special — and what we saw from our side of the fence.

The Payload: STX RAT, and It Never Touches Disk

The installers looked fine on the surface. Under the hood, the attackers used DLL sideloading — a malicious cryptbase.dll that gets pulled in when the legitimate signed executable runs. From there, the infection goes entirely in-memory:

Five-stage loader
Reflective PE loading
XOR decryption with layered bitwise transforms
No disk artifacts until the RAT is fully live

Breakglass Intelligence traced the campaign back to July 2025 — a sample called superbad.exe beaconing to 95.216.51.236 (Hetzner, Germany). That's a 10-month operation before the CPUID compromise. The attackers weren't building STX RAT this spring. They were shopping for a distribution channel.

Attribution leans Russian-speaking, financially motivated or an initial access broker. This is the kind of operator who runs a campaign quietly, picks their supply chain opportunity, and uses the access to either sell it or pivot into ransomware.

The Receipts: We Had the C2 On April 11

This is where it gets useful for anyone reading a DugganUSA STIX feed.

The final-stage C2 for STX RAT is welcome.supp0v3.com. We indexed that domain on April 11, 2026 at 13:55 UTC — 45 hours after CPUID pulled the plug — from the abuse.ch SSL Blacklist feed. Classification at that point: "SSL Blacklist: Unknown malware C2."

On April 12 at 18:49 UTC, we re-indexed the same domain with proper attribution: STX RAT, CPUID supply chain context, 150+ victims, DLL sideload + DoH over Cloudflare, MITRE T1071.001. That's a cross-referencing job we can do because our blog post index, IOC index, and pulse index all live in the same Meilisearch instance — correlation is a query, not a project.

By April 14 at 09:40 UTC, SSLBL had also captured the specific callback URL: https://welcome.supp0v3.com/d/callback. That's the thing your EDR actually needs to see in HTTP logs. Bare-domain blocks help, but path-level IOCs are what turn a block event into an incident ticket.

If you're a STIX feed consumer — and there are 275+ of you across 46 countries, including Microsoft, AT&T, and Starlink — you've had this indicator since April 11. If you're running our IP blocklist CSV at https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv, you've had the infrastructure flagged too.

We also carry the payload hash: 52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6 (SHA-256, STX RAT main stage). Drop that into VirusTotal, your SIEM, or your file-integrity tooling.

Why This One Matters More Than It Looks

A 19-hour window sounds small. It isn't. Download links to utilities like CPU-Z get baked into things nobody thinks about:

Corporate imaging scripts that pull "the latest CPU-Z" during system provisioning
Package managers like Scoop and Chocolatey that mirror upstream download URLs
Support KB articles — "Step 1: download HWMonitor from the official site" — that never get audited
IT automation runbooks inside hospitals, manufacturing floors, managed service providers

A trojanized installer from April 9 doesn't stop being trojanized when CPUID fixes the link on April 10. It stays in whatever cache, whatever script output, whatever PowerShell transcript it already landed in. The campaign lives on in the corners of your environment that never get re-pulled.

And this is the part that should keep CISOs up at night: the signed binaries were fine. The attackers didn't need to sign anything. They just needed to own the hyperlink. Code signing is not a supply chain defense when the attacker owns the distribution path.

What To Do Right Now

Hunt for the IOCs. You know where to find them. Our STIX feed, our IP blocklist, our hash CSV. The domain is welcome.supp0v3.com. The legacy C2 is 95.216.51.236. The payload hash is in our index.

Check your imaging and provisioning scripts. Any automation that downloads CPU-Z or HWMonitor from cpuid.com between April 9 15:00 UTC and April 10 10:00 UTC is suspect. Rehash every installer you pulled in that window against the hashes published by CPUID after the incident.

Review DLL sideloading detections. The campaign's signature move is a malicious cryptbase.dll loaded by a legitimate signed executable. If your EDR can't detect the DLL-load-from-user-writable-path pattern, you are blind to this entire class of attack. Not just STX RAT — most commodity stealers and half of the advanced loaders use this exact trick.

Block the URL, not just the domain. Block welcome.supp0v3.com at DNS. Block /d/callback at the proxy. Both layers. DoH-capable malware will chew through a pure-DNS block the second you turn your head.

Pattern 38 Doesn't Stop

This is the eleventh supply-chain compromise we've written up in four months. Different vendor, different region, same physics: trusted distributor, trusted cert chain, trusted click. The attackers don't need to break your firewall. They wait for you to open the front door yourself.

We keep writing this post because the industry keeps giving us new datasets. We keep publishing IOCs because the people who need them never get them fast enough from anywhere else. And we keep running a $75/month threat intel platform because the big vendors still think their job is retrospective reports, not indicators you can block with tomorrow morning.

19 hours. 150 victims. A 10-month campaign hiding behind a free hardware utility. Next time it won't be HWMonitor. But it'll look exactly like this.

— Patrick

Sources and further reading: BleepingComputer coverage · The Hacker News · The Register · Cyderes writeup · Scoop issue #17588

DugganUSA STIX feed: https://analytics.dugganusa.com/api/v1/stix-feed