DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Follow the Followers: Mapping GitHub Malware Distribution Networks

Patrick Duggan
Dec 10, 2025
5 min read

--- title: "Follow the Followers: Mapping GitHub Malware Distribution Networks" slug: follow-the-followers-github-malware-network date: 2025-12-10 author: Patrick Duggan tags: [pattern-38, github, malware-network, threat-intel, follow-the-followers, pulsar-rat, fluxen, cryptominer] category: Threat Intelligence featured: true ---

Pattern 38.5: Network Mapping via Social Graph Analysis

> *"In God we trust. All others we follow... their followers."* — DugganUSA, December 2025

When you find one malware distribution account, don't stop. Follow the followers. Check who they follow. Search for similar repository names. The GitHub API is a treasure map if you know how to read it.

Today we mapped a network of 4 malware distribution accounts, 13 repositories, and at least 5 distinct malware payloads — starting from a single Pulsar RAT sample.

The Technique: Pattern 38.5

Our Pattern 38 detection identifies individual sleeper accounts distributing malware. Pattern 38.5 extends this by mapping the distribution network:

mermaid
flowchart TD
    subgraph "Pattern 38.5: Follow the Followers"
        A[Find Initial Malware Account] --> B[Check Followers/Following]
        B --> C{Zero Social Graph?}
        C -->|Yes| D[Search Similar Repo Names]
        C -->|No| E[Investigate Connections]
        D --> F[Compare Creation Dates]
        F --> G[Check File Hashes]
        G --> H[Map Network]
        E --> H
    end

style A fill:#ff6b6b style H fill:#4ecdc4 ```

Why It Works

• Reuse payloads across multiple accounts (same hash, different names)

• Create accounts in batches (cluster creation dates)

• Use similar naming conventions (Silent-Crypto-Miner, SilentCryptoMiner, etc.)

• Avoid social connections (0 followers, 0 following — but this IS the pattern)

The Network We Found

Starting from `gololobovevgenij4-byte` (Pulsar RAT), we mapped 4 accounts:

mermaid
flowchart TD
    subgraph "Account: gololobovevgenij4-byte"
        G[gololobovevgenij4-byte<br/>ID: 224857850<br/>Created: Aug 5, 2025<br/>Followers: 0 | Following: 0]
        G1[quasar-modded-malware-sample<br/>Nov 26, 2025]
        G2[Silent-Crypto-Miner-modded-build-Sample<br/>Dec 1, 2025]
        G3[test<br/>Dec 9, 2025]
        G4[test1<br/>Oct 29, 2025]
        G --> G1 & G2 & G3 & G4
    end

subgraph "Account: Heheszon1" H[Heheszon1 ID: 245615174 Created: Nov 22, 2025 Followers: 0 | Following: 0] H1[FluxenExecutor Nov 22, 2025] H2[FluxenGrabber Nov 22, 2025] H3[SilentCryptoMiner Nov 22, 2025] H --> H1 & H2 & H3 end

subgraph "Account: kadeen333" K[kadeen333 ID: 166330105 Created: Apr 7, 2024 Followers: 0 | Following: 0] K1[kadeen333 Apr 7, 2024] K2[Silent-Crypto-Miner Oct 10, 2025] K --> K1 & K2 end

subgraph "Account: mkaif078600" M[mkaif078600 ID: 201727544 Created: Mar 4, 2025 Followers: 0 | Following: 0] M1[seed-phrase-generator Nov 26, 2025] M2[Silent-Crypto-Miner Nov 26, 2025] M --> M1 & M2 end

style G fill:#ff6b6b,stroke:#333,stroke-width:2px style H fill:#ff6b6b,stroke:#333,stroke-width:2px style K fill:#ffd93d,stroke:#333 style M fill:#ffd93d,stroke:#333 ```

The Malware Payloads

gololobovevgenij4-byte (Primary Target)

| File | SHA256 | Age | Classification | |------|--------|-----|----------------| | Pulsar-Client.exe (v1) | `ca49f69a007de870c0ae4c9cabaa4707ad73c9735d643c7bfcdc2a4cf2ba9765` | 14 days | Pulsar RAT v2.4.5 | | Pulsar-Client.exe (v2) | `22804099ed114502613561e19c39b08d85532366de6aa7dc7b648da51d4a7515` | 1 day | Pulsar RAT v2.4.5 | | xmr 40%.exe | `de5fcb3128ab96a7c5e45d93ed01498102aacde90552b9bffc581fa94d5c8e6a` | 9 days | XMR Miner (40% takerate) |

Heheszon1 (Network Discovery)

| File | SHA256 | Size | Classification | |------|--------|------|----------------| | FluxenGrabber.exe | `fae5053b24fc1ce0909d7c1718c0f70e98662097322c17db741e80fe5ee572e7` | 11 MB | SAME BINARY | | FluxenBootstrapper.exe | `fae5053b24fc1ce0909d7c1718c0f70e98662097322c17db741e80fe5ee572e7` | 11 MB | SAME BINARY | | Silent Crypto Miner Builder.exe | `fae5053b24fc1ce0909d7c1718c0f70e98662097322c17db741e80fe5ee572e7` | 11 MB | SAME BINARY |

All three Heheszon1 files are identical — same 11MB payload distributed under different names for different "use cases." Classic malware repackaging.

The Timeline

mermaid
timeline
    title Malware Distribution Network Timeline

section 2024 Apr 7 : kadeen333 account created (sleeper)

section 2025 Mar 4 : mkaif078600 account created Aug 5 : gololobovevgenij4-byte account created Oct 10 : kadeen333 uploads Silent-Crypto-Miner (6 months dormant) Oct 29 : gololobovevgenij4-byte creates test1 (probing) Nov 22 : Heheszon1 account + 3 repos in 7 minutes Nov 26 : gololobovevgenij4-byte uploads Pulsar RAT Nov 26 : mkaif078600 uploads miner + seed stealer (same day!) Dec 1 : gololobovevgenij4-byte uploads XMR miner Dec 9 : gololobovevgenij4-byte uploads Pulsar RAT v2 Dec 10 : DugganUSA detects & reports entire network ```

Key Observations

1. November 26 coordination: Two accounts uploaded malware on the same day 2. Heheszon1 speed: Account created, 3 repos with identical malware uploaded in 7 minutes 3. kadeen333 sleeper: 6 months dormant before activating 4. Zero social graph: All accounts have 0 followers and 0 following

Detection Methodology

Step 1: Initial Discovery ```bash # ThreatFox C2 sweep found "pulsar" tag # Led to gololobovevgenij4-byte GitHub account gh api users/gololobovevgenij4-byte ```

Step 2: Follow the Followers ```bash # Check social connections gh api users/gololobovevgenij4-byte/followers # Empty gh api users/gololobovevgenij4-byte/following # Empty ```

Step 3: Search Similar Repositories ```bash # Pattern matching on repository names gh search repos "Silent-Crypto-Miner" --limit 20 gh search repos "Pulsar-Client.exe" --limit 20 ```

Step 4: Profile Analysis ```bash # Check each account for Pattern 38 signatures for user in suspect1 suspect2 suspect3; do gh api users/$user | jq '{created_at, followers, following, public_repos}' done ```

Step 5: Hash Comparison ```bash # Compare file hashes across accounts curl -sL "https://raw.githubusercontent.com/..." | shasum -a 256 ```

Pattern 38 Signature Match

| Indicator | gololobovevgenij4-byte | Heheszon1 | kadeen333 | mkaif078600 | |-----------|------------------------|-----------|-----------|-------------| | Followers | 0 | 0 | 0 | 0 | | Following | 0 | 0 | 0 | 0 | | Bio | Empty | Empty | Empty | Empty | | Profile photo | Default | Default | Default | Default | | README disclaimers | "Research only" | None | SEO spam | SEO spam | | Sleeper period | 3 months | 0 (instant) | 6 months | 8 months | | Multi-payload | Yes (RAT + Miner) | Yes (3 names, 1 binary) | No | Yes (Miner + Stealer) |

IOCs Submitted

ThreatFox (First Reporter)

| Hash | Malware | Account | Status | |------|---------|---------|--------| | `ca49f69a...` | win.quasar_rat | gololobovevgenij4-byte | Submitted | | `22804099...` | win.quasar_rat | gololobovevgenij4-byte | Submitted | | `de5fcb31...` | win.coinminer | gololobovevgenij4-byte | Submitted | | `fae5053b...` | win.coinminer | Heheszon1 | Submitted |

GitHub Accounts Reported

| Account | User ID | Repos | Status | |---------|---------|-------|--------| | gololobovevgenij4-byte | 224857850 | 4 | Reported | | Heheszon1 | 245615174 | 3 | Reported | | kadeen333 | 166330105 | 2 | Reported | | mkaif078600 | 201727544 | 2 | Reported |

Why This Matters

The Math

• Traditional approach: Find 1 account, report 1 account

• Follow the Followers: Find 1 account, map 4 accounts, report 13 repositories

4x multiplier on threat detection from a single seed.

The Speed

Day 0: Single Pulsar RAT sample identified
Day 0: Network mapped via Pattern 38.5
Day 0: 4 IOCs submitted to ThreatFox
Day 0: 4 accounts reported to GitHub

Same-day network takedown request instead of whack-a-mole over weeks.

Recommendations

For Threat Hunters

1. Never stop at one account — always search for related repositories 2. Creation date clustering — accounts created same day often work together 3. Hash everything — identical binaries under different names = same actor 4. Zero social graph IS the pattern — legitimate developers have followers

For GitHub

1. Cluster detection — flag accounts created in batches with similar repos 2. Hash deduplication — warn when identical binaries appear across accounts 3. README-only repos — SEO spam repos are often malware landing pages

The Bottom Line

> "Follow the followers. Even when there are none to follow — that's the signal."

Pattern 38.5 transforms single-target detection into network mapping. Every isolated malware account is potentially a node in a larger distribution network.

DugganUSA: First to report. Always mapping.

Full IOC List

SHA256 Hashes ``` ca49f69a007de870c0ae4c9cabaa4707ad73c9735d643c7bfcdc2a4cf2ba9765 Pulsar-Client.exe (v1) 22804099ed114502613561e19c39b08d85532366de6aa7dc7b648da51d4a7515 Pulsar-Client.exe (v2) de5fcb3128ab96a7c5e45d93ed01498102aacde90552b9bffc581fa94d5c8e6a xmr 40%.exe fae5053b24fc1ce0909d7c1718c0f70e98662097322c17db741e80fe5ee572e7 Fluxen kit (3 names) ```

GitHub Accounts ``` gololobovevgenij4-byte (ID: 224857850) Heheszon1 (ID: 245615174) kadeen333 (ID: 166330105) mkaif078600 (ID: 201727544) ```

Repositories ``` https://github.com/gololobovevgenij4-byte/quasar-modded-malware-sample https://github.com/gololobovevgenij4-byte/Silent-Crypto-Miner-modded-build-Sample https://github.com/gololobovevgenij4-byte/test https://github.com/Heheszon1/FluxenExecutor https://github.com/Heheszon1/FluxenGrabber https://github.com/Heheszon1/SilentCryptoMiner https://github.com/kadeen333/Silent-Crypto-Miner https://github.com/mkaif078600/Silent-Crypto-Miner https://github.com/mkaif078600/seed-phrase-generator ```

*Generated by DugganUSA Threat Intelligence Platform* *First reported: 2025-12-10*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]