DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Friday Threat Brief: WordPress Plugin Ships a RAT, Storm-2755 Redirects Your Paycheck, Iran Targets American PLCs

Patrick Duggan
4 hours ago
3 min read

Six things you need to know before the weekend.

SMART SLIDER 3 WORDPRESS PLUGIN — SUPPLY CHAIN RAT

The popular WordPress slider plugin Smart Slider 3 had its update infrastructure compromised. Between April 7 and April 8, anyone who auto-updated to version 3.5.1.35 received a fully weaponized remote access toolkit instead of a plugin update. The attack window was approximately six hours before detection.

This is Pattern 38 — supply chain compromise through legitimate distribution channels. The attacker didn't need to find a vulnerability in WordPress or in the plugin. They compromised the update server and let the victims install the malware themselves.

If you run WordPress and have Smart Slider 3 installed, check your version immediately. If you're on 3.5.1.35, assume compromise. Roll back, scan for persistence, and rotate credentials.

CVE-2026-39987 — MARIMO PYTHON NOTEBOOK RCE, EXPLOITED IN 10 HOURS

A CVSS 9.3 vulnerability in Marimo, an open-source Python notebook for data science, was exploited within 10 hours of public disclosure. The terminal WebSocket endpoint at /terminal/ws has no authentication. An attacker sends a WebSocket connection and gets a full PTY shell on the server. No credentials needed.

If your data science team runs Marimo notebooks accessible from the network, update to version 0.20.4 or later immediately. If they're internet-facing, assume they've been scanned.

STORM-2755 — SALARY REDIRECT VIA SESSION HIJACKING

A financially motivated threat group called Storm-2755 is using Adversary-in-the-Middle (AiTM) techniques to hijack authenticated sessions and reroute employee direct deposit payments to attacker-controlled bank accounts. The attack intercepts the session after the employee authenticates — MFA doesn't help because the attacker captures the session token after the MFA challenge completes.

This is Business Email Compromise evolved. Instead of sending a fake invoice, they change where your paycheck goes. The employee doesn't know until payday.

Mitigations: token binding, conditional access policies that evaluate device compliance, and monitoring for payroll changes from unusual sessions.

STORM-1175 / MEDUSA RANSOMWARE — MICROSOFT PUBLISHES DEEP DIVE

Microsoft published detailed analysis of Storm-1175, the threat actor behind high-velocity Medusa ransomware campaigns. Their playbook: scan for recently disclosed CVEs in web-facing assets, exploit before patches are applied, exfiltrate data, deploy Medusa.

We analyzed Medusa ransomware months ago. Our STIX feed includes Medusa indicators. Microsoft's analysis validates what we've been tracking — and confirms the attack tempo is accelerating.

IRAN APT TARGETING ROCKWELL AUTOMATION PLCS — JOINT ADVISORY

The FBI, CISA, NSA, EPA, DOE, and US Cyber Command issued a joint advisory warning of Iranian-affiliated APT actors actively exploiting internet-facing Rockwell Automation and Allen-Bradley programmable logic controllers. This is industrial control system targeting during an active military conflict.

With the Strait of Hormuz still effectively closed and ceasefire negotiations ongoing in Pakistan, Iranian cyber operations against US critical infrastructure are not theoretical. They're happening now. Six federal agencies don't issue a joint advisory for fun.

PAYLOAD RANSOMWARE HITS EGYPTIAN OIL AND GAS

The Payload ransomware group claimed an attack against El Wastani Petroleum Company (WASCO), a major Egyptian oil and gas operator. The timing — during the Hormuz crisis when Middle Eastern energy infrastructure is already under pressure — is either coincidental or deliberate.

WHAT WE DID

All six of these are now indexed as IOCs in our STIX feed. Smart Slider 3 supply chain indicators, CVE-2026-39987, Storm-2755 campaign markers, Storm-1175/Medusa indicators, the Iran PLC advisory, and the WASCO incident are searchable at analytics.dugganusa.com.

Our STIX feed now carries 1,063,000+ indicators across 42 indexes. If you run a SIEM, you can query these. If you don't have a feed yet, registration takes 30 seconds and the free tier gives you 500 queries per day.

Regional pricing is live for 80+ countries. A SOC analyst in India pays $13.50 per month for Starter. Same data, same indicators, fair price.

analytics.dugganusa.com/stix/pricing

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.