DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

From 1 to 5: How We Mapped a Post-Operation Endgame C2 Infrastructure

Patrick Duggan
Nov 26, 2025
4 min read

November 26, 2025 | Pattern 38 | TA585 Attribution | C2 Hunting

TL;DR

Started with 1 C2 IP. Ended with 5. Plus a Monero mining pool. Plus TA585 attribution. Plus 7 emails to FAANG security teams.

This is the story of following the breadcrumbs.

The Starting Point

We had one IP from our Pattern 38 supply chain attack investigation:

149.102.156.62 - Contabo GmbH, UK

That's it. One IP. The Stealc/Rhadamanthys beacon endpoint posting to `/5dc60508ab2db3b4.php`.

The question was: "Is this really all there is?"

Spoiler: It wasn't.

The Hunt

Step 1: Pivot from the Known C2

VirusTotal's behavior analysis is a goldmine. We queried the sandbox reports for samples communicating with our known C2:

mermaid
graph LR
    subgraph "Known Infrastructure"
        C1[149.102.156.62<br/>PRIMARY C2]
    end

subgraph "Samples Contacting C2" S1[Sample 1] S2[Sample 2] S3[Sample 3] end

S1 --> C1 S2 --> C1 S3 --> C1

style C1 fill:#d32f2f,color:#fff ```

20 files communicating with this IP. Time to check what ELSE they talk to.

Step 2: Follow the Samples

Each malware sample doesn't just talk to one server. They have fallbacks, secondary payloads, build servers. We extracted the full network behavior:

mermaid
flowchart TD
    subgraph "Attack Chain"
        A[GitHub Issue Comment] -->|ZIP download| B[Malicious ZIP]
        B -->|Extract & Execute| C[PowerShell Loader]
        C -->|Download| D[zalupa.ps1 / ooewqi.ps1]
        D -->|Execute| E[Main Payload]
        E -->|Beacon| F[C2 Server]
        E -->|Optional| G[Cryptominer]
    end

subgraph "C2 Infrastructure" F --> F1[149.102.156.62 Stealc Beacon] D --> D1[158.220.93.201 Dropper #1] D --> D2[95.217.39.238 Dropper #2] E --> E1[196.251.107.94 Build Server] G --> G1[pool.supportxmr.com Monero Pool] end

style F1 fill:#d32f2f,color:#fff style D1 fill:#e65100,color:#fff style D2 fill:#e65100,color:#fff style E1 fill:#7b1fa2,color:#fff style G1 fill:#1565c0,color:#fff ```

Step 3: The Full Picture Emerges

Five C2 servers. All different providers. All different countries. But connected by the same malware samples.

mermaid
graph TB
    subgraph "Geographic Distribution"
        subgraph "UK - Contabo"
            UK1[149.102.156.62<br/>vmi2910825]
            UK2[158.220.93.201<br/>vmi2915473]
        end

subgraph "Finland - Hetzner" FI1[95.217.39.238] end

subgraph "Hong Kong - Unknown" HK1[196.251.107.94:5553] end

subgraph "USA - IOFLOOD" US1[107.167.83.34] end end

UK1 -.->|"Sequential VMI Same Campaign"| UK2

style UK1 fill:#d32f2f,color:#fff style UK2 fill:#e65100,color:#fff style FI1 fill:#388e3c,color:#fff style HK1 fill:#7b1fa2,color:#fff style US1 fill:#1565c0,color:#fff ```

The Infrastructure Map

| IP | Country | Provider | ASN | VT Detections | Role | |----|---------|----------|-----|---------------|------| | 149.102.156.62 | 🇬🇧 UK | Contabo GmbH | 51167 | 12/95 | PRIMARY C2 - Stealc beacon | | 158.220.93.201 | 🇬🇧 UK | Contabo GmbH | 51167 | 0/95 | Payload dropper (zalupa.ps1) | | 95.217.39.238 | 🇫🇮 Finland | Hetzner | 24940 | 8/95 | Secondary dropper (ooewqi.exe) | | 196.251.107.94 | 🇭🇰 HK | Unknown | - | 10/95 | Build server (per-victim payloads) | | 107.167.83.34 | 🇺🇸 USA | IOFLOOD | 53755 | 1/95 | Bulletproof hosting |

DNS Attribution Gold

• `vmi2910825.contaboserver.net` (149.102.156.62)

• `vmi2915473.contaboserver.net` (158.220.93.201)

This means they were provisioned around the same time by the same actor. Same campaign. Same wallet.

Payload URLs

http://149.102.156.62/5dc60508ab2db3b4.php          # Stealc C2 beacon (POST)
http://158.220.93.201/zalupa.ps1                     # PowerShell loader (Russian naming)
http://158.220.93.201/taskhostcore.exe               # Windows masquerading
http://95.217.39.238/ooewqi.ps1                      # Random-named loader
http://95.217.39.238/ooewqi.exe                      # Secondary payload
http://196.251.107.94:5553/gimger.exe                # HK build server
http://196.251.107.94:5553/[UUID]_crypted_build.exe  # Per-victim builds

• `378eed24804b4bc0a0de7eb25c72e46a_build.bin`

• `8d0d8add1579482aa67eaafbc32b547a_crypted_build.exe`

• `993809c397854ef5906fcfe577c247a3_build.bin`

This is a builder infrastructure - custom payloads for each victim to evade hash-based detection.

Attribution: The TA585 Connection

mermaid
flowchart LR
    subgraph "TA585 Known TTPs"
        T1[GitHub Notifications]
        T2[Rhadamanthys/Stealc]
        T3[MaaS Model]
        T4[Russian Forums]
    end

subgraph "Pattern 38 Observed" P1[GitHub Issue Comments] P2[Rhadamanthys/Stealc] P3[MaaS Model] P4[Russian Naming zalupa.ps1] end

T1 -.->|"Same Vector Different Technique"| P1 T2 -.->|"Same Malware"| P2 T3 -.->|"Same Model"| P3 T4 -.->|"Same Origin"| P4

style T1 fill:#1976d2,color:#fff style T2 fill:#1976d2,color:#fff style P1 fill:#d32f2f,color:#fff style P2 fill:#d32f2f,color:#fff ```

The Evidence

1. Same delivery vector: GitHub-based (TA585 uses notifications, Pattern 38 uses issue comments) 2. Same malware families: Rhadamanthys, Stealc (both in TA585 arsenal per Proofpoint) 3. Timing correlation: Post-Operation Endgame (Nov 10-14, 2025) infrastructure rebuild 4. MaaS model: Russian-speaking forum sourced malware 5. Infrastructure pattern: Sequential Contabo VMI provisioning

Operation Endgame Context

• 1,025 servers used by Rhadamanthys

• 20 domains

• Searches at 11 locations in Germany, Greece, and Netherlands

Our Pattern 38 infrastructure appears to be the rebuild. Fresh Contabo servers, new dropper IPs, same malware families.

Attribution Confidence: 70% (MODERATE-HIGH)

The Bonus Find: Cryptominer Variant

Some samples also contact `pool.supportxmr.com` - a Monero mining pool.

mermaid
graph LR
    subgraph "Dual-Purpose Malware"
        M[Infected Host]
        M -->|Steal Credentials| C2[Stealc C2]
        M -->|Mine XMR| Pool[supportxmr.com]
    end

style C2 fill:#d32f2f,color:#fff style Pool fill:#ff9800,color:#fff ```

Stealc + Cryptominer = Maximum Monetization

Why choose one revenue stream when you can have both?

MITRE ATT&CK Mapping

mermaid
flowchart TD
    subgraph "Initial Access"
        T1566[T1566.002<br/>Spearphishing Link]
    end

subgraph "Execution" T1204[T1204.002 Malicious File] T1059[T1059.001 PowerShell] end

subgraph "Defense Evasion" T1027[T1027 Obfuscated Files] T1036[T1036 Masquerading] end

subgraph "Credential Access" T1555[T1555.003 Browser Credentials] end

subgraph "Command & Control" T1071[T1071.001 Web Protocols] end

T1566 --> T1204 T1204 --> T1059 T1059 --> T1027 T1027 --> T1555 T1555 --> T1071

style T1566 fill:#1565c0,color:#fff style T1204 fill:#7b1fa2,color:#fff style T1059 fill:#7b1fa2,color:#fff style T1027 fill:#00897b,color:#fff style T1555 fill:#c62828,color:#fff style T1071 fill:#ef6c00,color:#fff ```

IOCs Summary

C2 IPs (Block These) ``` 149.102.156.62 158.220.93.201 95.217.39.238 196.251.107.94 107.167.83.34 ```

Malware Hashes (SHA256) ``` 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68 4ac33e95d7d1bf205c8bd021886a8edc5d405d65389edb3b0c65d62c12ace47d 97c555e848aa65ab8e6710bc57ab80d280dae9bbac53eda89e659fb3b91a53b6 ```

Domains ``` pool.supportxmr.com (cryptominer) vmi2910825.contaboserver.net vmi2915473.contaboserver.net we.love.servers.at.ioflood.net ```

GitHub Accounts (Suspended) ``` FireSuper, rampubg14-cmyk, anuxagfr, winchmrsmilegodsgf, SorYoshino, starlet219 ```

GitHub Accounts (STILL ACTIVE - Report These) ``` storymatic, ecmrichard, giulialoregian, salhe2673-web, muanevn ```

STIX 2.1 Feed

All 31 indicators available in machine-readable format:

https://analytics.dugganusa.com/api/v1/stix-feed

The Lesson

One IP is never just one IP.

When you find C2 infrastructure, pivot: 1. Check what samples communicate with it 2. Check what ELSE those samples communicate with 3. Check DNS for attribution breadcrumbs 4. Check timing against known operations 5. Follow the follow-bots

The attackers built redundancy. Your detection should too.

Actions Taken

• 5 C2 IPs documented in STIX feed

• 7 FAANG security teams notified

• 6 GitHub accounts suspended (4 original + 2 from warnings)

• Blog published for public awareness

Feed subscribers get IOCs first. Bad actors get public shaming second.

*DugganUSA LLC - Minnesota-based threat intelligence*

*"The spice must flow. The IOCs must too."*