DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Dear Huawei Cloud: Thanks for the 289 Requests, Here's 46 Blocks

Patrick Duggan
Dec 12, 2025
5 min read

--- title: "Dear Huawei Cloud: Thanks for the 289 Requests, Here's 46 Blocks" date: 2025-12-12 author: Patrick Duggan tags: [huawei, threat-intelligence, countersurveillance, china, state-actors, blocked] category: Hall of Shame featured: true ---

The Quiet Customer

For seven days, they never complained. Never raised a ticket. Never asked for support.

They just... consumed.

289 requests. 46 unique IPs. Three continents. Every single blog post about Chinese APT operations. And the STIX feed. Always the STIX feed.

They were our most engaged "customer." Reading posts about Volt Typhoon IOCs. Studying our Pattern 38 C2 infrastructure exposures. Downloading threat intel that burns Chinese operations.

Five stars. Would subscribe again.

There was just one small problem: Huawei is on the US Entity List, designated a Chinese Military Company by the DoD, and legally required by Chinese law to cooperate with state intelligence services.

Oops.

The Traffic Pattern That Gave Them Away

| Date | Huawei Requests | What Happened | |------|-----------------|---------------| | Dec 5 | 12 | Baseline | | Dec 6 | 30 | +150% | | Dec 7 | 66 | +450% | | Dec 8 | 9 | Weekend lull | | Dec 9 | 22 | We auto-blocked Qihoo 360 | | Dec 10 | 139 | SYSTEMATIC CRAWL | | Dec 12 | 24 | We noticed |

That Dec 10 spike? 1,058% above baseline. Not a bot. Not a crawler. A methodical intelligence gathering operation reading every piece of threat intel we've ever published.

The Geography of "Plausible Deniability"

Where does a US-sanctioned Chinese military company park its surveillance infrastructure?

| Location | IPs | Percentage | |----------|-----|------------| | Singapore | 20 | 43% | | Mexico City | 20 | 43% | | Hong Kong | 6 | 13% |

Twenty servers in Mexico City.

Not Beijing. Not Shanghai. Not even Hong Kong primarily. Mexico City.

Why? Because traffic from `101.44.x.x` with a Mexican geolocation raises fewer flags than direct-from-China. It's Tradecraft 101: stage your reconnaissance from somewhere that doesn't scream "state actor."

Fun fact: Mexico City is closer to Minnesota than Beijing. Latency optimization for your surveillance, how thoughtful.

What They Were Reading

Not our homepage. Not our pricing. Not our "About Us" page.

This is what Huawei Cloud spent 289 requests reading:

| Content | Why It Matters | |---------|----------------| | `chinese-apt-typhoon-family-20-iocs` | IOCs of their operations | | `we-found-their-server-pattern-38-c2-infrastructure-exposed` | We found their C2 servers | | `pattern-38-impact-how-we-protected-2-million-open-source-users` | Our detection methods | | `hunting-supply-chain-attacks-while-getting-supply-chain-attacked` | How we hunt them | | `multi-dimensional-threat-intelligence-analysis` | Our analytical capabilities | | `/api/v1/stix-feed` | THE ACTUAL THREAT INTEL |

They were reading posts about Chinese APT infrastructure while downloading the feed that exposes Chinese APT infrastructure.

That's not a customer. That's countersurveillance.

The Hostnames That Made Us Laugh

Every Huawei Cloud IP has a predictable hostname pattern: `ecs-X-X-X-X.compute.hwclouds-dns.com`

Except two:

1. `www.hwawei.com` (119.8.181.245)

A typosquat of `huawei.com`. Registered through a Delaware privacy shell. Updated December 3, 2025—nine days before we blocked them.

SPF record: `v=spf1 ip6:fdcf:abda:4154::/48 -all`

IPv6-only SPF. Because nothing says "legitimate business" like configuring your email authentication to only work on IPv6.

2. `mail003.cissp.or.id` (122.8.187.130)

A mail server pretending to be associated with CISSP certification. Indonesian `.or.id` TLD (organization). Google MX records for phishing. Hosted on Huawei Cloud.

Because when you're a Chinese military company doing surveillance, why not also run a fake security certification phishing operation on the side?

The TA459 Connection

Here's where it gets spicy.

VulDB's Cyber Threat Intelligence database tracks a threat actor called TA459—a Chinese APT known for PlugX malware deployment, targeting Russia and Central Asia for military intelligence.

Their documented infrastructure includes: `ecs-122-9-52-215.compute.hwclouds-dns.com`

Same naming pattern. Same ASN (AS136907). Same Huawei Cloud infrastructure.

TA459 uses Huawei Cloud for C2. And now Huawei Cloud is reading our threat intel about Chinese APT operations.

Coincidence? In this economy?

The Legal Reality

Let's be very clear about what Huawei is:

| Designation | Date | Authority | Meaning | |-------------|------|-----------|---------| | US Entity List | May 2019 | Commerce Dept | Export restrictions | | Chinese Military Company | 2021 | DoD | Defense implications | | National Intelligence Law | 2017 | China | Must cooperate with state intel |

From China's National Intelligence Law: > "All organizations and citizens shall support, assist, and cooperate with national intelligence efforts."

Huawei isn't just a company that might cooperate with Chinese intelligence. They are legally required to. Every employee. Every server. Every request to our threat intel feed.

When Huawei Cloud reads our Chinese APT blog posts, that information is legally obligated to flow to Chinese intelligence services.

We were providing free counterintelligence to the MSS.

The Block

At 15:24 UTC on December 12, 2025, we blocked all 46 Huawei Cloud IPs via Cloudflare.

=== Blocking 46 Huawei Cloud IPs ===

Blocking 119.8.41.86... ✅ Blocking 150.40.242.182... ✅ Blocking 46.250.168.161... ✅ [... 43 more ✅s ...]

=== SUMMARY === Blocked: 46 Failed: 0 ```

Every IP. Every server. Singapore, Mexico City, Hong Kong. All of them.

The STIX feed is still free. Just not for sanctioned Chinese military companies conducting countersurveillance on American threat intelligence operations.

What We Learned

1. The quiet ones are watching. Our most "engaged" reader was a state actor.

2. Geographic distribution is tradecraft. 20 servers in Mexico City isn't a business decision—it's operational security.

3. They read what they fear. Every post about Chinese APTs got hits. Our cat pictures? Zero interest.

4. Typosquats are everywhere. `hwawei.com` updated 9 days before we caught them.

5. Free threat intel attracts threat actors. The STIX feed designed to burn their operations was being consumed to protect them.

The Punchline

• Never complained

• High engagement

• Read everything

• Consumed the STIX feed daily

They just forgot to mention they're a US-sanctioned Chinese military company legally required to share everything they learn with state intelligence services.

Our bad for not asking.

To the analysts at Huawei Cloud / MSS / whoever: Thanks for reading! We hope our Chinese APT coverage was helpful for your operations. Sorry about the 46 blocks—nothing personal, just policy. Feel free to spin up new infrastructure; we'll be here when you do.

And next time? Maybe use a VPN that doesn't resolve to `hwclouds-dns.com`.

Technical Details

Blocked IPs (46 total):

• 119.8.41.86, 119.8.28.225, 150.40.242.182, 150.40.165.64, 159.138.52.153, 27.106.115.42

• 101.44.163.138, 111.119.196.88, 111.119.207.192, 111.119.236.38, 111.119.246.150, 111.119.249.176, 111.119.251.114, 119.8.171.186, 119.8.181.245, 119.13.107.104, 124.243.185.13, 124.243.186.164, 159.138.109.114, 166.108.193.129, 166.108.200.19, 166.108.225.70, 188.239.10.235, 190.92.218.79, 94.74.83.126, 94.74.87.230

• 46.250.168.161, 101.44.184.14, 101.44.185.136, 101.44.185.137, 101.44.24.153, 101.44.25.153, 101.44.25.58, 101.44.27.16, 101.44.187.22, 122.8.181.23, 122.8.185.8, 122.8.186.224, 122.8.187.130, 122.8.187.78, 149.232.133.154, 149.232.138.127, 149.232.139.159, 46.250.160.45, 46.250.173.199, 46.250.174.233

• `hwawei.com` - Huawei typosquat (active)

• `cissp.or.id` - Fake CISSP phishing domain

ASN: AS136907 (HUAWEI CLOUDS)

MITRE ATT&CK: T1592 - Gather Victim Host Information, T1590 - Gather Victim Network Information, T1598 - Phishing for Information

• [US Entity List - Huawei](https://www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file)

• [CRS Report: U.S. Restrictions on Huawei Technologies](https://crsreports.congress.gov/product/pdf/R/R47012/2)

• [Trend Micro: Actors Target Huawei Cloud](https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html)

• [VulDB: TA459 Threat Actor](https://github.com/vuldb/cyber_threat_intelligence/tree/main/actors/t/TA459)

*Judge Dredd doesn't care about your geopolitics. It cares about your access patterns.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]