Five Things Nobody Is Talking About Tonight

# Five Things Nobody Is Talking About Tonight

March 28, 2026 — DugganUSA

It's Saturday night. The news cycle is quiet. PreCog is not.

Our precursor detection system has been at CRITICAL for four consecutive days. That's not an alert. That's a climate change. Here are five things the Monday morning briefings will miss because they happened on a weekend.

1. Three Perimeter Devices Got Popped in One Week

Cisco Secure Firewall Management Center. F5 BIG-IP Access Policy Manager. Citrix NetScaler ADC. Three CVSS 9.0+ vulnerabilities. All actively exploited or under active reconnaissance. All disclosed in the same seven-day window.

These aren't random applications. These are the three devices that sit between your network and the internet. The VPN concentrators. The access gateways. The load balancers. The things your security team calls "the perimeter."

Cisco FMC (CVE-2026-20131, CVSS 10.0) — unauthenticated remote code execution as root. Exploited by Interlock ransomware since January 26, a full month before Cisco disclosed it.

F5 BIG-IP APM (CVE-2025-53521, CVSS 9.3) — remote code execution. Added to CISA KEV on Friday.

Citrix NetScaler (CVE-2026-3055, CVSS 9.3) — memory overread via input validation. Active auth-method fingerprinting observed in the wild. That means someone is mapping which organizations use NetScaler and how their authentication is configured. That's not an attack. That's pre-positioning.

Here's what nobody is writing: this is the exact attack surface that Handala and Pay2Key use for initial access. Both Iranian MOIS groups compromised admin accounts on management platforms (Stryker via Intune, Pay2Key via stolen VPN credentials) to conduct their attacks. Three perimeter devices with CVSS 9.0+ vulns during an active cyber war with Iran is not a coincidence. It's a target list.

2. Audio Steganography Just Entered the Supply Chain

On March 27, two malicious versions of the telnyx Python package were published to PyPI. The credential harvesting code was hidden inside a .WAV file.

Read that again. The malware was in an audio file inside a Python package.

Your security tools scan Python files for hardcoded secrets. Your SAST tools parse source code for suspicious patterns. Your dependency scanners check package versions against vulnerability databases. None of them look inside audio files bundled in packages.

This is a new technique and it will be replicated. The same threat actor already compromised Trivy (the vulnerability scanner) and litellm (the AI model router). They're targeting the tools that developers trust, hiding payloads where scanners don't look, and distributing through the package managers that every CI/CD pipeline depends on.

Check your Python dependencies. Check what's in them. Not just the code — the assets.

3. PreCog Has Been Red for Four Days. That's Not a Spike.

Our precursor detection system aggregates eight independent signals: infrastructure activation surges, IOC velocity spikes, supply chain staging, adversary reboots, consumer intelligence patterns, MITRE technique escalation, C2 publication surges, and cross-index correlation.

On Thursday, three signals elevated simultaneously. By Saturday, the infrastructure surge is still at maximum. The supply chain staging signal climbed from 0.6 to 0.72 after we caught a GitHub repository (babka98/horinis) staging five MSI malware installers on a 23-day-old account. The IOC velocity spike from Spamhaus hasn't subsided — 7x daily average for four days running.

PreCog has 21 validated predictions at 100% accuracy. Lead times from 3 hours to 72 days. When it says CRITICAL for four days, it means the conditions for significant attacks are present and sustained.

This is not a spike that returns to baseline. This is the new baseline.

4. A German Researcher Tested 494 Politicians Against the Epstein Files

On March 18, a single user ran 494 unique search queries against our Epstein document index. Every query was a German politician, industrialist, or public figure. Josef Ackermann. Konrad Adenauer. Andreas von Bulow. Katarina Barley. Barbel Bas. Every German chancellor, defense minister, and corporate leader they could think of.

494 names. Zero results.

They tried every format — "Lastname Firstname," "Firstname Lastname," with umlauts and without. They know how to search databases. This is not casual browsing. This is a systematic investigation by someone testing a specific hypothesis: are German power structures connected to the Epstein network?

The answer from our 400,750-document index is: not that we can find. But the question itself is intelligence. Someone with deep knowledge of German political structures believes the connection is worth testing. And they chose our platform to test it.

5. Handala Went Quiet. Pay Attention.

On March 11, Handala wiped 200,000 Stryker devices. March 20, the FBI seized their domains. Within hours, they had replacement infrastructure on three hosting providers in three jurisdictions. March 25, they dumped 14GB on the former Mossad chief and published passport scans of 28 Lockheed Martin engineers. March 27, they breached the FBI Director's personal email — confirmed by the DOJ.

Then silence.

Two of their three post-seizure domains went dark on Friday evening, hours after the DOJ confirmation and the $10 million bounty announcement. Our domain watchdog — running every 30 minutes on the VM, checking DNS, emailing alerts — shows no new infrastructure. No new certificates in transparency logs. No new domains registered.

Handala escalated through medical devices, intelligence leadership, the defense industrial base, and the FBI Director in 16 days. Each target bigger than the last. And then they stopped.

Either the $10 million bounty scared them — which would be a first for an MOIS-backed operation — or they're building something that makes the Lockheed passport dump look like a warmup.

We're watching. The watchdog runs every 30 minutes. The STIX feed updates continuously. 275+ organizations in 46 countries pull indicators that include the infrastructure we mapped.

What We're Doing About It

We rebuilt our STIX feed this weekend. 11,724 objects including 4,293 IPs, 339 domains (118 onion addresses), 50 malware hashes (33 from the FBI's Handala FLASH alert), and 164 malicious URLs. Every CSV endpoint works. Every API endpoint returns 200 (we tested 49 of them — all green). Stripe checkout works for all five pricing tiers.

We fixed the registration flow that was breaking index access for every new user since launch. We fixed the STIX feed that wasn't including onion addresses, hashes, or domain IOCs. A pen tester in New Jersey found three bugs in one weekend and we fixed all of them before Monday.

The platform indexes 15.8 million documents across 47 gigabytes. PreCog watches 8 signals. The domain watchdog monitors 17 adversary domains. The gap miner turns zero-result customer searches into intelligence requirements.

And the STIX feed is free.

analytics.dugganusa.com/stix

Patrick Duggan is the founder of DugganUSA LLC. He spent Saturday deploying 11 updates, fixing Stripe checkout, catching a malware staging repo, and watching a frozen lake. PreCog is still red. The watchdog is still watching. Somewhere in Germany, someone is still looking for the names.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →