DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Free Threat Intel for Schools: 34 IOCs for K-12 and Universities Under Siege

Patrick Duggan
Nov 30, 2025
3 min read

TL;DR: We published 2 OTX pulses with 34 education-sector IOCs covering Vice Society, Rhysida, and student data protection. Free. No paywall. Because schools are "target rich, cyber poor" and deserve better.

The Problem

Education is now the most attacked sector in 2025 with 4,388 weekly cyberattacks per school.

• 82% of K-12 schools experienced cyber threat impacts

• 14,000 security events across 5,000 K-12 organizations

• 9,300 confirmed cybersecurity incidents (Jul 2023 - Dec 2024)

• Average: >1 incident per school day

CISA calls schools "target rich, cyber poor" - they hold extensive student PII but lack resources for comprehensive cybersecurity. Ransomware actors know this.

The Threat Actors

Vice Society (CISA AA22-249A)

Vice Society explicitly targets K-12 schools. They're not opportunistic - they hunt educational institutions. CISA issued a dedicated advisory because the pattern was so clear.

• 4 C2 IP addresses (varying confidence levels)

• TOR leak site: `vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion`

• Contact emails: `[email protected]`

• PrintNightmare exploitation (CVE-2021-1675, CVE-2021-34527)

Rhysida (CISA AA23-319A)

Rhysida hits universities and hospitals. They use ChaCha20 encryption with a 4096-bit RSA key - your data isn't coming back without paying.

• 8 SHA256 hashes (ransomware binaries, batch scripts, Gootloader)

• PsExec abuse patterns

• Azure Blob staging URLs

• Contact: `[email protected]`

Akira

Akira rounds out the education-targeting ransomware trifecta. They've hit multiple school districts and universities in 2024-2025.

The Two Pulses

Pulse 1: Education Sector Ransomware 22 IOCs | [Subscribe](https://otx.alienvault.com/pulse/692cc3c3b18994be11546c32)

• C2 IP addresses from CISA advisories

• File hashes for ransomware payloads

• TOR leak site addresses

• Ransom negotiation emails

• CVEs exploited for initial access

Pulse 2: K-12 FERPA Student Data Protection 12 IOCs | [Subscribe](https://otx.alienvault.com/pulse/692cc3c611b3cc827feefe58)

• PowerShell commands targeting student directories

• Credential harvesting indicators

• LSASS dump patterns

• Phishing patterns targeting `.edu` domains

• Ransomware preparation commands

FERPA (20 U.S.C. 1232g) requires protection of student education records. If attackers exfiltrate student data, you have a federal compliance problem on top of the ransomware problem.

Why Schools Get Hit

1. Data goldmine: Student PII, family financial info, staff records, health data 2. Underfunded IT: Most districts can't afford enterprise security tools 3. Distributed networks: Multiple buildings, BYOD, remote learning 4. Low security maturity: Often no dedicated security staff 5. Public pressure to pay: "We need the systems back for the kids"

The proposed CISA reporting rule would require school districts with >1,000 students to report major cyber disruptions within 72 hours. Between 2016-2022, 1,327 K-12 entities experienced publicly disclosed cyber incidents.

What To Do With This

If you're a K-12 IT admin:

1. Subscribe to both pulses - Ingest these IOCs into your SIEM/EDR 2. Monitor for PrintNightmare - CVE-2021-1675/34527 is still being exploited 3. Watch PowerShell - Commands like `Get-ADGroupMember -Identity 'Students'` are red flags 4. Block the C2 IPs - Add Vice Society infrastructure to your firewall deny list 5. Patch Ivanti - CVE-2024-21887 affects school VPN appliances

If you're a school board member:

• Offline backups (tested regularly)

• Incident response retainer

• Cyber insurance (with ransomware coverage)

• Basic security training for staff

The Uncomfortable Truth

Schools spend millions on physical security - metal detectors, SROs, cameras. They spend almost nothing on cyber security while holding the most sensitive data about children.

A ransomware attack that leaks student records can follow kids for decades. Addresses, SSNs, medical conditions, disciplinary records, special education status - all exposed because the district couldn't afford a $50K/year security program.

We're publishing these IOCs for free because someone should.

Resources

• [DugganUSA OTX Profile](https://otx.alienvault.com/user/pduggusa) - 20 pulses, 1,168+ indicators

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Machine-readable

• [CISA AA22-249A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a) - Vice Society advisory

• [CISA AA23-319A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a) - Rhysida advisory

• [CISA K-12 Cybersecurity](https://www.cisa.gov/K12Cybersecurity) - Resources for schools

• [CIS MS-ISAC 2025 K-12 Report](https://www.cisecurity.org/insights/white-papers/2025-k12-cybersecurity-report) - The data source

*Patrick Duggan is founder of DugganUSA, a Minnesota-based security company. He believes threat intel should be shared freely, especially with organizations that can't afford to buy it. Schools educate our kids - the least we can do is help protect them.*

*Questions? [email protected]*

Free Threat Intel for Schools: 34 IOCs for K-12 and Universities Under Siege

The Problem