DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

First to Report: Pulsar RAT Distribution on GitHub

Patrick Duggan
Dec 10, 2025
5 min read

--- title: "First to Report: Pulsar RAT Distribution on GitHub - From Code to C2 in 14 Days" slug: pulsar-rat-github-distribution-first-reporter date: 2025-12-10 author: Patrick Duggan tags: [pulsar-rat, quasar-rat, malware-analysis, github, supply-chain, pattern-38, first-reporter, threat-intel] category: Threat Intelligence featured: true ---

From Code to C2 in 14 Days

> *"Privet, Russia."* — A Minnesota cybersecurity researcher, December 2025

We found a malware distribution account on GitHub hosting Pulsar RAT and XMR cryptominer samples. We're documenting the entire investigation path because the speed from code-to-deployment matters — and the only way to stop bad actors faster is to document everything.

This is what "eating our own dog food" looks like.

The Discovery

On December 10, 2025, during a routine ThreatFox C2 sweep, we investigated the "pulsar" tag and found references to a GitHub repository hosting functional Pulsar RAT samples.

Account: `gololobovevgenij4-byte` Status: ACTIVE (as of publication) Created: August 5, 2025 User ID: 224857850

mermaid
timeline
    title Account Timeline
    Aug 5, 2025 : Account created (gololobovevgenij4-byte)
    Oct 29, 2025 : test1 repo created (probing)
    Nov 26, 2025 : quasar-modded-malware-sample (Pulsar RAT v1)
    Dec 1, 2025 : Silent-Crypto-Miner (XMR 40% takerate)
    Dec 9, 2025 : test repo (Pulsar RAT v2)
    Dec 10, 2025 : DugganUSA detection & report

The Malware

Repository 1: quasar-modded-malware-sample

| Field | Value | |-------|-------| | File | `Pulsar-Client.exe` | | Size | 978 KB | | SHA256 | `ca49f69a007de870c0ae4c9cabaa4707ad73c9735d643c7bfcdc2a4cf2ba9765` | | Classification | Pulsar RAT v2.4.5 (Quasar fork) | | Created | November 26, 2025 |

Repository 2: test

| Field | Value | |-------|-------| | File | `Pulsar-Client.exe` | | Size | 978 KB | | SHA256 | `22804099ed114502613561e19c39b08d85532366de6aa7dc7b648da51d4a7515` | | Classification | Pulsar RAT v2.4.5 (variant build) | | Created | December 9, 2025 |

Repository 3: Silent-Crypto-Miner-modded-build-Sample

| Field | Value | |-------|-------| | File | `xmr 40%.exe` | | Size | 3.4 MB | | SHA256 | `de5fcb3128ab96a7c5e45d93ed01498102aacde90552b9bffc581fa94d5c8e6a` | | Classification | XMR Cryptominer (40% attacker takerate) | | Created | December 1, 2025 |

Technical Analysis: Pulsar RAT

Pulsar RAT is a .NET-based Remote Access Trojan that extends the Quasar RAT framework. Our string analysis confirmed version 2.4.5:

costura.pulsar.common.dll.compressed|2.4.5.0|Pulsar.Common, Version=2.4.5.0

Capabilities Identified

From embedded strings:

| Module | Purpose | |--------|---------| | `Pulsar.Common.Messages.Monitoring.HVNC` | Hidden VNC (stealth remote desktop) | | `Pulsar.Common.Messages.Webcam` | Webcam capture | | `Pulsar.Common.Messages.Audio` | Microphone access | | `Pulsar.Common.Messages.Administration.RemoteShell` | Remote command execution | | `Pulsar.Common.Logging.KeyloggerService` | Keystroke logging | | `Pulsar.Client.Helper.HVNC.Chromium.OperaPatcher` | Browser credential theft | | `Pulsar.Common.Messages.ClientManagement.UAC` | UAC bypass | | `Pulsar.Common.Messages.FunStuff` | GDI effects, BSOD triggers |

Encryption Keys Found

Two SHA256 hashes embedded in the binary (likely AES encryption keys for C2 config):

6937AAA7C46A1CF5106F54609FCE156D8D08237B9B04319C5A36E1986FA22D30
F2173046D565A390F2EA722F09E8C2D93396E6D63EB8E1A453E53E97707D6982

The Distribution Network

mermaid
flowchart TD
    subgraph "Threat Actor"
        TA[gololobovevgenij4-byte<br/>User ID: 224857850<br/>Created: Aug 5, 2025]
    end

subgraph "GitHub Repositories" R1[quasar-modded-malware-sample Nov 26, 2025] R2[Silent-Crypto-Miner Dec 1, 2025] R3[test Dec 9, 2025] R4[test1 Oct 29, 2025] end

subgraph "Malware Artifacts" M1[Pulsar-Client.exe v1 SHA256: ca49f69a...] M2[xmr 40%.exe SHA256: de5fcb31...] M3[Pulsar-Client.exe v2 SHA256: 22804099...] end

subgraph "Capabilities" C1[Remote Desktop HVNC] C2[Credential Theft] C3[Keylogging] C4[XMR Mining 40%] end

TA --> R1 & R2 & R3 & R4 R1 --> M1 R2 --> M2 R3 --> M3 M1 & M3 --> C1 & C2 & C3 M2 --> C4

style TA fill:#ff6b6b,stroke:#333,stroke-width:2px style M1 fill:#ffd93d,stroke:#333 style M2 fill:#ffd93d,stroke:#333 style M3 fill:#ffd93d,stroke:#333 ```

Related Quasar/Pulsar C2 Infrastructure

From our ThreatFox sweep (December 10, 2025), 40 active Quasar RAT C2 servers in the last 7 days:

| C2 | Type | First Seen | Tags | |----|------|------------|------| | v2.slot123.jp.net | domain | Dec 10 | quasar, RAT, triage | | v3.slot123.jp.net | domain | Dec 10 | quasar, RAT, triage | | 195.24.236.68:4788 | ip:port | Dec 9 | quasar | | 3.132.231.176:15565 | ip:port | Dec 9 | AWS (AS16509) | | 190.203.50.169:443 | ip:port | Dec 9 | CANTV (Venezuela) | | 51.79.197.104:4782 | ip:port | Dec 8 | OVH | | motchilltv.bot (v2/v3) | domain | Dec 6 | quasar | | 182.123.74.218:8888 | ip:port | Dec 6 | China (AS4837) | | 27.74.249.74:8808 | ip:port | Dec 6 | Vietnam (VIETEL) |

MITRE ATT&CK Mapping

mermaid
flowchart LR
    subgraph "Initial Access"
        T1566[T1566: Phishing]
        T1189[T1189: Drive-by Compromise]
    end

subgraph "Execution" T1204[T1204: User Execution] T1059[T1059: Command Scripting] end

subgraph "Persistence" T1547[T1547: Boot/Logon Autostart] T1053[T1053: Scheduled Task] end

subgraph "Defense Evasion" T1027[T1027: Obfuscated Files] T1497[T1497: Anti-VM/Sandbox] T1548[T1548: UAC Bypass] end

subgraph "Credential Access" T1555[T1555: Credentials from Browsers] T1056[T1056: Keylogging] end

subgraph "Collection" T1113[T1113: Screen Capture] T1123[T1123: Audio Capture] T1125[T1125: Video Capture] end

subgraph "C2" T1071[T1071: Application Layer Protocol] T1573[T1573: Encrypted Channel] end

subgraph "Impact" T1496[T1496: Resource Hijacking XMR Mining] end ```

Why "First Reporter" Matters

The Problem

Most malware analysis happens *after* victims report infections. The timeline typically looks like:

Day 0: Malware uploaded to GitHub
Day 7-30: Spread via social engineering, SEO poisoning
Day 30-90: First infections detected
Day 90+: Security vendor analysis published
Day 180+: IOCs widely distributed

That's 6 months from code to defense. Unacceptable.

Our Approach

Day 0: Malware uploaded to GitHub (Nov 26)
Day 14: DugganUSA detection via C2 sweep (Dec 10)
Day 14: Full analysis + IOCs published (Dec 10)
Day 14: GitHub report filed (Dec 10)

14 days, not 180.

The Pattern 38 Connection

This account follows the exact Pattern 38 signature we've documented:

| Indicator | gololobovevgenij4-byte | Pattern 38 Signature | |-----------|------------------------|----------------------| | Account age | 4 months before first malware | Sleeper period | | Followers | 0 | No social proof | | Following | 0 | No engagement | | Bio | Empty | No attribution | | Repository names | Generic + "sample" | Plausible deniability | | README disclaimers | "Research purposes only" | Legal cover | | Multiple payloads | RAT + Cryptominer | Diversified monetization |

Indicators of Compromise (IOCs)

File Hashes (SHA256)

ca49f69a007de870c0ae4c9cabaa4707ad73c9735d643c7bfcdc2a4cf2ba9765  Pulsar-Client.exe (v1)
22804099ed114502613561e19c39b08d85532366de6aa7dc7b648da51d4a7515  Pulsar-Client.exe (v2)
de5fcb3128ab96a7c5e45d93ed01498102aacde90552b9bffc581fa94d5c8e6a  xmr 40%.exe

GitHub Account

Username: gololobovevgenij4-byte
User ID: 224857850
Status: ACTIVE (report filed)

Pulsar RAT Embedded Strings

Pulsar.Common.dll (v2.4.5.0)
Pulsar.Client.Helper.HVNC.ProcessController
Pulsar.Client.Logging.KeyloggerService
KeYz957jYMOdwSWT (possible mutex)
cv46qruDNSpySAepNj (possible tag)

What Happens Next

1. GitHub Report Filed — [email protected] 2. ThreatFox Submission — IOCs added to public feed 3. OTX Pulse — Published for community consumption 4. STIX Feed — Automated distribution via our free feed

The Bottom Line

> "The only way to go fast is to go well."

We document everything because documentation *is* defense. Every hour between malware upload and public IOC is an hour victims are unprotected.

This isn't about credit. It's about closing the gap between code and consequences.

DugganUSA: First to report. Always documenting.

Sources

• [ThreatMon Pulsar RAT Analysis](https://threatmon.io/pulsar-rat-technical-malware-analysis-report/)

• [Broadcom Pulsar RAT Protection Bulletin](https://www.broadcom.com/support/security-center/protection-bulletin/pulsar-rat-malware)

• [ThreatFox IOC Database](https://threatfox.abuse.ch/)

• [Malpedia: Quasar RAT](https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat)

*Generated by DugganUSA Threat Intelligence Platform* *Last updated: 2025-12-10T22:30:00Z*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]