DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Free Threat Intel for Charities: 37 IOCs for Non-Profits Under Siege

Patrick Duggan
Nov 30, 2025
4 min read

TL;DR: We published 2 OTX pulses with 37 non-profit sector IOCs covering Interlock, Akira, and donor data protection. Free. No paywall. Because charities are "cyber-poor, target-rich" and you can't protect donors if you can't afford threat intel.

The Problem

Non-profits are getting destroyed.

• 35% YoY increase in email-based attacks targeting nonprofits (2025)

• 26% increase in malware attacks, with malicious attachments posing as "grant approvals" or "donor lists"

• 60% of nonprofits experienced a cyberattack in the last 2 years

• $200K average cost of a data breach for nonprofits

• 70% have never done a basic risk assessment

• 80% have no cybersecurity plan

CISA published "Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society" in May 2024 because they recognized these organizations are "ill-prepared for and vulnerable to" social engineering and common cyber threats.

Translation: You have donors' credit cards, banking info, and personal data - but no IT staff to protect it.

The Blackbaud Wake-Up Call

• 13,000 organizations

• Millions of donors exposed

• $49.5 million settlement (49 states + DC)

• $3 million SEC fine for concealing the breach

Affected organizations included Save the Children, Human Rights Watch, Boy Scouts of America, Planned Parenthood, and the George W. Bush Presidential Center.

The attackers were inside from February to May 2020 before being discovered. They copied donor data including SSNs, financial info, and health information - then demanded ransom to delete it.

The Threat Actors

Interlock (CISA AA25-203A - July 2025)

The newest kid on the block. First observed September 2024, now with a CISA advisory.

• 4 SHA256 file hashes (PowerShell loaders, keylogger DLLs, exfil tools)

• File extensions: `.interlock` or `.1nt3rlock`

• Ransom note: `!__README__!.txt`

• Uses ClickFix CAPTCHA with Base64-encoded PowerShell

Akira (CISA AA24-109A - Updated November 2025)

Akira's been busy. The November 2025 update shows they're still evolving.

• 20+ SHA256 hashes (ransomware binaries, Veeam credential theft tools)

• Megazord variant hashes

• 8 CVEs for initial access (Cisco ASA, Veeam, SonicWall)

• File extension: `.akira`

BEC/VEC Campaigns

• Grant application emails get opened

• Invoice approvals get processed quickly

• Board member impersonation works

The Two Pulses

Pulse 1: Non-Profit Ransomware 20 IOCs | [Subscribe](https://otx.alienvault.com/pulse/692cc59974cd88b8b0cd3475)

• File hashes for ransomware binaries

• Veeam exploitation tools (credential theft from backups)

• CVEs for initial access

• Encrypted file extensions

Pulse 2: Donor Data Protection 17 IOCs | [Subscribe](https://otx.alienvault.com/pulse/692cc59a99c865236f90ffbc)

• PowerShell commands targeting donor databases

• Active Directory reconnaissance patterns

• Phishing patterns ("donate-now", "grant-application", "invoice-approval")

• Credential harvesting tools (Mimikatz, LSASS dumps)

• Ransomware preparation commands

Why Non-Profits Get Hit

1. Donor data goldmine: Credit cards, banking info, SSNs, addresses 2. Chronic underfunding: Most budgets go to mission, not IT 3. High-trust environment: Volunteers, distributed staff, BYOD policies 4. No security staff: Often no dedicated IT, let alone security 5. Donor pressure: "Why are you spending money on security instead of the mission?"

The cruel irony: Donors demand low overhead ratios, then their data gets breached because the nonprofit couldn't afford security.

What To Do With This

If you're a non-profit IT admin (or the one person doing everything):

1. Subscribe to both pulses - Ingest these IOCs into whatever you have 2. Enable MFA everywhere - Especially email and financial systems 3. Watch for Veeam exploitation - CVE-2024-40711 and CVE-2023-27532 are being actively exploited 4. Train on BEC - Grant approvals and invoice requests are top phishing vectors 5. Patch Cisco ASA/SonicWall - If you have VPN appliances, patch immediately

If you're a board member:

• Do we have offline backups? (Tested?)

• Do we have cyber insurance? (With ransomware coverage?)

• When did we last train staff on phishing?

• What's our breach notification plan?

The Uncomfortable Truth

Donors want their money going to the mission. That's admirable. But mission delivery requires functioning systems, and functioning systems require security.

A ransomware attack that leaks donor data doesn't just cost $200K+ in recovery. It destroys trust. Donors whose SSNs get exposed don't give again. That's a permanent mission impact.

We're publishing these IOCs for free because: 1. Charging $50K/year for threat intel to organizations running on volunteer labor is obscene 2. We're literally a non-profit doing this for free anyway (hi, that's us) 3. Someone should

Resources

• [DugganUSA OTX Profile](https://otx.alienvault.com/user/pduggusa) - 22 pulses, 1,200+ indicators

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Machine-readable

• [CISA AA25-203A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a) - Interlock advisory

• [CISA AA24-109A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a) - Akira advisory

• [CISA Civil Society Guidance](https://www.cisa.gov/resources-tools/resources/mitigating-cyber-threats-limited-resources-guidance-civil-society) - Best practices for resource-constrained orgs

• [CyberPeace Institute](https://cyberpeaceinstitute.org/news/cyber-poor-target-rich-the-crucial-role-of-cybersecurity-in-nonprofit-organizations/) - Non-profit threat landscape

• [National Council of Nonprofits](https://www.councilofnonprofits.org/running-nonprofit/administration-and-financial-management/cybersecurity-nonprofits) - Cybersecurity resources

*Patrick Duggan is founder of DugganUSA, a Minnesota-based security company. He believes threat intel should be shared freely, especially with organizations whose budgets go to feeding people, housing the homeless, or protecting civil rights instead of paying for enterprise security tools. If you're a non-profit and need help, reach out.*

*Questions? [email protected]*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

Free Threat Intel for Charities: 37 IOCs for Non-Profits Under Siege

The Problem

The Blackbaud Wake-Up Call