DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

DPRK Tradecraft Evolution: From Email to QR Code to Blockchain

Patrick Duggan
Jan 8
3 min read

The FBI Warning (January 8, 2026)

From FBI FLASH AC-000001-MW:

"As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns."

The technique is called "Quishing"—QR code phishing. Here's why it works:

Traditional Phishing	Quishing
Malicious URL in email body	Malicious URL encoded in QR image
Email security scans and flags URL	QR code is just an image—no URL to scan
Victim clicks on corporate endpoint	Victim scans with mobile phone
Corporate DLP, proxy, EDR all watching	Mobile device has none of that

They're forcing targets off defended infrastructure onto undefended personal devices.

The June 2025 Attack

The FBI documented a specific incident:

Kimsuky sends spearphishing email to a strategic advisory firm
Email invites recipients to a (non-existent) conference
Email contains QR code for "registration"
QR code leads to fake Google login page
Credentials harvested

No malicious attachment. No suspicious URL in the email body. Just an image that your phone happily decodes and opens.

Why This Matters: The Evasion Chain

Email security has gotten better. Defenders improved. So DPRK adapted.

Kimsuky exploited weak DMARC policies to spoof trusted senders
NSA/FBI joint advisory documented the technique
Defense: Organizations hardened DMARC, SPF, DKIM

Email body now clean—no URLs to flag
QR code forces victim to mobile
Bypasses corporate security stack entirely
Defense: ...still emerging

Once inside, DPRK deploys EtherRAT
C2 stored in Ethereum smart contract
Can't be taken down—blockchain is forever
We documented this December 28

The Full Kill Chain

Connect the dots:

┌─────────────────────────────────────────────────────────────────┐
│                    DPRK 2026 KILL CHAIN                         │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  1. INITIAL ACCESS                                              │
│     └── Quishing: QR code in spearphishing email                │
│         └── Target: Think tanks, academia, foreign policy       │
│         └── Evasion: Bypasses email security via image          │
│                                                                 │
│  2. CREDENTIAL HARVEST                                          │
│     └── Fake login page (Google, Microsoft, etc.)               │
│         └── Mobile browser—no corporate proxy                   │
│         └── MFA bypass via real-time phishing frameworks        │
│                                                                 │
│  3. PERSISTENCE                                                 │
│     └── EtherRAT deployment                                     │
│         └── C2 stored in Ethereum smart contract                │
│         └── Queries 9 RPC endpoints with consensus voting       │
│         └── Can't be seized, taken down, or poisoned            │
│                                                                 │
│  4. COLLECTION                                                  │
│     └── Intelligence gathering on NK policy                     │
│         └── Credential reuse across accounts                    │
│         └── Lateral movement to high-value targets              │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

This is a mature, evolving operation. They're not script kiddies. They're reading the defensive landscape and adapting faster than most enterprises can patch.

Detection Opportunities

For Quishing (QR Code Phishing)

User training: If an email contains a QR code and asks you to scan it, that's suspicious. Legitimate organizations provide clickable links.

QR code scanning in email gateway: Some advanced email security can now decode QR codes and analyze embedded URLs. Enable it if you have it.

Mobile device management: If your users scan a QR code on a corporate mobile device, MDM should be logging and potentially blocking suspicious domains.

Report suspicious QR codes: Establish clear protocols. "I got an email with a QR code" should trigger review.

For EtherRAT/Blockchain C2

eth_call
eth_getStorageAt
Connections to Infura, Alchemy, Ankr, QuickNode

Your web server should not be talking to blockchain nodes. If it is, you're already compromised.

Check persistence locations: `` ~/.config/systemd/user/*.service ~/.config/autostart/*.desktop @reboot cron jobs .bashrc / .profile injections ``

IOCs

EtherRAT Staging (from our December 28 analysis) ``` 193.24.123.68 ```

React2Shell C2 (used in same DPRK campaign) ``` 193.34.213.150 154.89.152.240 107.174.123.91 38.165.44.205 45.76.155.14 216.238.68.169 78.153.140.16 80.64.16.241 2.56.176.35 ```

Domains ``` gfxnick.emerald.usbx.me api.qtss.cc conclusion-ideas-cover-customise.trycloudflare.com proxy1.ip2worlds.vip ```

The Pattern

DPRK isn't standing still. They're evolving on three fronts simultaneously:

Front	Evolution	Our Coverage
Initial Access	Email → QR code (quishing)	This post
Exploitation	Zero-days within 48 hours of disclosure	Sunday Threat Sweep
Persistence	Traditional C2 → Blockchain C2	DPRK Read Our Math

They read the same research we do. They adapt faster than most defenders. And they're getting better.

Recommendations

Treat QR codes in emails as suspicious by default
Implement phishing-resistant MFA (FIDO2, hardware keys)
Monitor for blockchain RPC traffic from non-blockchain systems
Block the IOCs in this post and our STIX feed
Brief your foreign policy / academic contacts — they're the targets

Get Protected

All IOCs available in machine-readable formats:

STIX 2.1 Feed: ``bash curl https://analytics.dugganusa.com/api/v1/stix-feed ``

Free. Machine-readable. No enterprise contract required.

Sources

About DugganUSA: We publish free threat intelligence for the 99% who can't afford enterprise security. Our STIX 2.1 feed tracks 2,200+ blocked IPs with MITRE ATT&CK attribution. Built on $77/month of Azure Container Apps.

STIX Feed | OTX Profile

Her name is Renee Nicole Good.