DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

From 8K to 12K: How We Hit 10,000 IOCs in One Afternoon

Patrick Duggan
Dec 3, 2025
3 min read

TL;DR: Cross-referenced our Pattern 38 C2 infrastructure with ThreatFox and URLhaus. Found 1,267 malware URLs from our tracked C2s. Pushed 4,000+ IOCs to OTX in one session. Now at 11,910 indicators.

The Goal: 10,000 IOCs

When we started the day, our OTX feed sat at 8,227 indicators across 84 pulses. The goal was simple: hit 10K.

But we didn't want to pad the numbers with garbage. Every IOC had to be: 1. Verified - From trusted sources (ThreatFox, URLhaus) 2. Correlated - Cross-referenced with our existing Pattern 38 C2 infrastructure 3. Actionable - Defenders can block these TODAY

The Discovery: URLhaus Correlation Hunt

We started by cross-referencing our known C2 IPs with URLhaus's malware URL database. The results were staggering:

| C2 IP | Malware URLs | Family | |-------|-------------|--------| | 178.16.55.189 | 1,035 | Amadey Dropper | | 176.46.152.62 | 221 | Rhadamanthys | | 196.251.107.94 | 7 | Stealc Build Server | | 95.217.39.238 | 4 | CoinMiner |

1,267 malicious URLs served from just 4 IPs we were already tracking. This is the power of correlation hunting - you start with a seed (known bad infrastructure) and discover the full scope of the operation.

The Harvest: ThreatFox 7-Day Pull

ThreatFox's API returned 15,845 IOCs from the last 7 days. We categorized them:

js.clearfake:     11,355 IOCs  ← Fake browser update campaign
unknown:           1,958 IOCs  ← Emerging threats
win.cobalt_strike:   225 IOCs  ← Red team tool abuse
win.ramnit:          200 IOCs  ← Banking trojan
win.vidar:           182 IOCs  ← Infostealer
win.asyncrat:        180 IOCs  ← Remote access trojan
win.remcos:          113 IOCs  ← RAT
win.sliver:          106 IOCs  ← C2 framework
win.formbook:        106 IOCs  ← Infostealer

The Push: 9 Pulses in 30 Minutes

We pushed everything to OTX in batches:

1. ThreatFox Correlation Hunt - 29 IOCs (our C2s confirmed in ThreatFox) 2. URLhaus Correlation Hunt - 11 IOCs (malware URL infrastructure) 3. ThreatFox 7-Day Harvest - 490 IOCs (multi-family) 4. ClearFake Campaign (x4) - 2,000 IOCs (fake browser updates) 5. C2 Framework Hunt - 447 IOCs (Cobalt Strike, Sliver, Meterpreter) 6. Infostealer Hunt - 213 IOCs (Vidar, Stealc, FormBook, RedLine) 7. Mirai Botnet - 79 IOCs (IoT botnet C2) 8. Emerging Threats (x2) - 599 IOCs (unclassified suspicious)

The Result

=== GRAND TOTAL ===
Total pulses: 94
Total IOCs: 11,910
Progress to 10K: 119.1%

* GOAL ACHIEVED! * ```

Why This Matters

Most threat intel is siloed. ThreatFox knows about malware samples. URLhaus knows about malicious URLs. OTX aggregates community intel. But nobody is connecting the dots.

We are.

When we discover a C2 IP from a GitHub supply chain attack (Pattern 38), we don't just block it. We:

1. Check ThreatFox for related malware samples 2. Check URLhaus for malicious URLs served from that IP 3. Check VirusTotal for related file hashes 4. Push ALL findings to our STIX feed 5. Push to OTX for community defense 6. Publish analysis so others can hunt

This is correlation hunting. One seed IP becomes dozens of IOCs. Those IOCs lead to infrastructure. That infrastructure reveals the full campaign.

The Technical Stack

┌─────────────────────────────────────────────────────────┐
│                    DugganUSA Brain                       │
├─────────────────────────────────────────────────────────┤
│  Pattern 38 Scanner → Known C2 IPs (seed)               │
│         ↓                                                │
│  ThreatFox Client → Malware samples, C2 correlations    │
│         ↓                                                │
│  URLhaus Client → Malicious URLs from those C2s         │
│         ↓                                                │
│  OTX Pulse Creator → Push to community feed             │
│         ↓                                                │
│  STIX Feed → Machine-readable for enterprise            │
└─────────────────────────────────────────────────────────┘

All of this runs autonomously via GitHub Actions at 06:00 UTC daily.

For Defenders

Subscribe to our feeds:

• OTX: [otx.alienvault.com/user/pduggusa](https://otx.alienvault.com/user/pduggusa) (15 subscribers, 11,910 IOCs)

• STIX: [analytics.dugganusa.com/api/v1/stix-feed](https://analytics.dugganusa.com/api/v1/stix-feed)

What's Next

• Shodan InternetDB integration - Passive port scanning for C2 infrastructure

• IPinfo ASN pivots - Find related infrastructure by ASN

• Auto-enrichment - High-threat IPs get full OSINT treatment

• Customer dashboards - Enterprise threat intel as a service

*"Feed subscribers get IOCs first. Bad actors get public shaming second. That's the order."*

DugganUSA LLC - Minnesota Threat Intelligence 🦊 OTX: 11,910 IOCs | 94 Pulses | 15 Subscribers

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]