DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

GitHub's 0% Response Rate: 29 Malware Accounts Still Active

Patrick Duggan
Dec 1, 2025
3 min read

TL;DR: We reported 29 malware-distributing GitHub accounts across 11 abuse reports. VirusTotal confirmed the payloads. OTX pulses documented the campaigns. GitHub suspended zero of them.

The Numbers

| Metric | Value | |--------|-------| | Reports Sent | 11 | | Accounts Reported | 29 (unique, excluding false positives) | | VT-Confirmed Malware | Yes (39/73, 47/76, 38/76 detection rates) | | Accounts Suspended | 0 | | Response Rate | 0% |

The Hall of Shame

APT-Level Infrastructure (Still Active)

• Created: July 27, 2016 (8+ years ago)

• C2 Channel: `github.com/getlook23/project1/issues/1`

• VT Detections: 39/73 (cryptbase.dll), 35/71 (LODCTR.DLL)

• OTX Documentation: "The case of getlook23: Using GitHub Issues as a C2"

• Status: STILL ACTIVE

A nation-state APT has been using GitHub Issues as a command-and-control channel for nearly a decade. Trend Micro published research on this in 2017. OTX has multiple pulses documenting it. The account is still up.

Malware Distribution Hubs (Still Active)

• 492 followers, 50 repos

• Dash Android Spyware (536 GitHub stars)

• Android-RATList, DDoS tools, GMailBomber

• Status: STILL ACTIVE

• 62 repos including:

• VT-confirmed malicious domains (15/95 detections)

• Status: STILL ACTIVE

• HALCYON-RAT with AV evasion features

• Payload builder, byte pumping for detection bypass

• Discord distribution channel

• Status: STILL ACTIVE

Cracked Malware Distribution (VT Confirmed)

• SHA256: `61974b843ae371e0472abf494817311e209d1ad9d01505537b7a58a330e19dda`

• VT Detection: 47/76

• Account age: 7 years (repurposed for malware in 2025)

• Status: STILL ACTIVE

Scam Infrastructure (Still Active)

• Active since 2016

• InstaBrute, FaceBrute, DDOSINC

• Status: STILL ACTIVE

• Telegram: @MIOBOMUIS

• Multiple drainer repos for sale

• Status: STILL ACTIVE

What We Reported

• VT hashes with 35-47+ vendor detections

• OTX pulse references with full IOC documentation

• MITRE ATT&CK technique mappings

• Account creation dates showing sleeper patterns

• Repo analysis showing malware distribution intent

The Pattern 38 Campaigns

• Created days before posting malware

• Zero repos, zero followers (sleeper pattern)

• Posted ZIPs containing Stealc/Rhadamanthys infostealers

• VT confirmed: 18+ detections per sample

GitHub's response: Nothing.

What This Means

1. GitHub Issues is a viable C2 channel - getlook23 proves you can run APT infrastructure on GitHub for 8+ years without action

2. Malware repos with 500+ stars persist - muneebwanee's Dash spyware has 536 stars. That's not low-visibility.

3. VT confirmation doesn't trigger action - We provided cryptographic proof. 47/76 vendors agree it's malware. GitHub disagrees by inaction.

4. Reporting is theater - [email protected] and [email protected] apparently forward to /dev/null

Our Response

• Document everything in our STIX feed

• Publish IOCs via OTX for the community

• Track account status for future reference

• Blog about it so the record exists

We're not going to stop reporting. But we're also not going to pretend it's working.

The Evidence

• `compliance/evidence/github-abuse-reports/*.json`

• Timestamps, account details, VT hashes, OTX references

• Full audit trail for anyone who wants to verify

Conclusion

GitHub's abuse response is either overwhelmed, understaffed, or simply not prioritizing malware distribution. When a Winnti APT C2 can operate for 8 years on your platform with public documentation, something is broken.

We'll keep reporting. We'll keep documenting. And we'll keep publishing the receipts.

*Reporter: DugganUSA LLC Threat Intelligence* *STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed* *OTX Profile: https://otx.alienvault.com/user/pduggusa*

*Accounts checked: December 1, 2025* *All 29 accounts verified active via GitHub API*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

GitHub's 0% Response Rate: 29 Malware Accounts Still Active

The Numbers

The Hall of Shame

APT-Level Infrastructure (Still Active)

Malware Distribution Hubs (Still Active)

Cracked Malware Distribution (VT Confirmed)

Scam Infrastructure (Still Active)

What We Reported

The Pattern 38 Campaigns

What This Means

Our Response

The Evidence

Conclusion

Get Free IOCs

Recent Posts

Comments