DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

"Hackers LOVE Windows. Attackers HATE Azure!" - The Math Behind the Meme

Patrick Duggan
Dec 9, 2025
5 min read

December 9, 2025 | Patrick Duggan | DugganUSA LLC

The Controversial Claim

There's a saying in threat intelligence circles: *"Hackers LOVE Windows. Attackers HATE Azure."*

At first glance, it sounds like Microsoft fanboy copium. But when you look at the actual IOC data from ThreatFox, URLhaus, and our own Pattern 49 victim extraction engine, the numbers tell a fascinating story.

TL;DR: The statement is 83% true. Here's the math.

The Receipts: DugganUSA Threat Intelligence Analysis

This isn't speculation. This is our data. Running 24/7. Autonomously. In Azure (the irony is not lost on me).

The DugganUSA Threat Intel Stack - PreCog Sweep Engine: Runs every 10 minutes, hunts novel IOCs - Pattern 49: Small Business Brand Weaponization detection - Pattern 48: AEZA PTR Spoof Farm identification - 94,000+ indicators in our OTX pulses consumed by Microsoft and AT&T

Dataset - 4,131 malicious domains analyzed from our live threat intelligence database - Sources: ThreatFox, URLhaus, OTX feeds, GreyNoise RIOT enrichment - Time period: Rolling 30-day window - Analysis date: December 9, 2025 - Infrastructure: Azure Container Apps (because we trust it, unlike the attackers)

PART 1: "Hackers LOVE Windows"

The Numbers

| Payload Type | Count | % of Total | |--------------|-------|------------| | Windows executables (.exe, .dll, .msi, .bat, .ps1, .vbs) | 263 | 6.4% | | Other payloads | 3,868 | 93.6% |

• PHP webshells (cross-platform)

• JavaScript stealers (browser-based)

• Generic downloaders

When you filter for platform-specific malware, Windows wins by a landslide:

| Target Platform | Domains | Relative Share | |-----------------|---------|----------------| | Windows | 263 | 87.4% | | Linux (ELF) | 23 | 7.6% | | macOS | 8 | 2.7% | | Android (APK) | 7 | 2.3% |

Verdict: TRUE. Attackers overwhelmingly target Windows. The 87.4% share of platform-specific malware proves the "LOVE" claim.

Sample Payloads ``` 11pause849.com → 38958e.exe 11pause938g.com → 32fgbe.exe 123123-b5b.pages.dev → allahcracked.exe 12pause84.com → 389bbe.exe 13p3ause7381df.com → fdeb.exe ```

PART 2: "Attackers HATE Azure!"

This is where it gets interesting.

Attacker C2 Infrastructure Preferences

| Cloud Provider | Malicious Domains | % of Total | |----------------|-------------------|------------| | Azure (Microsoft) | 0 | 0.00% | | AWS (Amazon) | 16 | 0.39% | | Cloudflare | 93 | 2.25% | | Generic VPS | 4,022 | 97.36% |

ZERO Azure-hosted C2 servers. Out of 4,131 malicious domains, not a single one was hosted on Azure infrastructure.

Why Do Attackers Avoid Azure?

1. Microsoft Defender for Cloud - Built-in threat detection that auto-blocks malicious activity 2. Azure Sentinel integration - SOC teams get alerts within minutes 3. Strict abuse policies - Azure Terms of Service are aggressively enforced 4. Identity requirements - Credit card + phone verification makes anonymity harder 5. Forensic cooperation - Microsoft actively cooperates with law enforcement

• Fake identities are accepted

• Abuse reports are ignored

• Cryptocurrency payments are standard

• No law enforcement cooperation

Verdict: TRUE. Attackers actively avoid Azure for C2 infrastructure. The 0% hosting rate is statistically significant.

PART 3: "They Only Use GitHub LOL"

This is the spiciest part. Your claim that attackers use GitHub is not just true - it's an epidemic.

2025 GitHub Supply Chain Attacks

| Attack Name | Date | Impact | Method | |-------------|------|--------|--------| | Shai-Hulud | Sep 2025 | 500+ npm packages | Self-replicating worm via compromised maintainer accounts | | Shai-Hulud 2.0 | Nov 2025 | 25,000+ repos | "Dead man's switch" data destruction threat | | s1ngularity | Aug 2025 | 5,500 private repos exposed | Nx build system compromise | | GhostAction | Sep 2025 | 817 repos, 3,325 secrets leaked | Malicious GitHub Actions workflows |

GitHub-Hosted Malware in Our Dataset ``` github.com (direct hosting) raw.githubusercontent.com (raw file hosting) hzxcaq-github-io.pages.dev (GitHub Pages proxy) maorunzhia-github-io.pages.dev mt526-github-io.pages.dev ```

Why Attackers LOVE GitHub

1. Free hosting - No credit card needed 2. Trusted domain - `github.com` bypasses URL filters 3. CDN speed - `raw.githubusercontent.com` has global edge nodes 4. Legitimate traffic - Blends with real developer activity 5. Version control - Easy malware variant management 6. CI/CD access - GitHub Actions = free compute for attacks

Verdict: TRUE. GitHub is actively weaponized by threat actors. The platform's trust and ubiquity make it perfect for malware distribution.

PART 4: "Attack Visual Studio Supply Chains!"

This one hit home for me as a developer. 2025 was brutal for VS Code.

GlassWorm: The Self-Spreading VS Code Worm

Discovered by Koi Security, GlassWorm is described as *"one of the most sophisticated supply chain attacks we've ever analyzed."*

• Steals NPM, GitHub, and Git credentials

• Drains funds from 49 cryptocurrency extensions

• Deploys SOCKS proxy servers

• Installs hidden VNC servers for remote access

• Self-propagates using stolen credentials

• Uses Solana blockchain for C2 (impossible to take down)

• Unicode steganography - malicious code is invisible in editors

VS Code Marketplace Token Leak Discovery

• 550+ validated secrets leaked across 500+ extensions

• One token could push malware to a $30 billion Chinese mega-corp's entire workforce

Malicious Extensions: Bitcoin Black & Codo AI

• Stole saved passwords

• Drained cryptocurrency wallets

• Hijacked browser sessions

• Took screenshots

• Copied clipboard content

Verdict: TRUE. VS Code is a major supply chain attack vector. The marketplace's trust model has been repeatedly exploited.

The Math: Scoring the Original Claim

| Claim | Verdict | Confidence | |-------|---------|------------| | "Hackers LOVE Windows" | TRUE | 87.4% of platform-specific malware targets Windows | | "Attackers HATE Azure" | TRUE | 0.00% of C2 infrastructure on Azure | | "They only use GitHub" | PARTIALLY TRUE | GitHub weaponized, but not exclusive | | "Attack Visual Studio supply chains" | TRUE | GlassWorm, 550+ leaked tokens, malicious extensions |

Overall Score: 83% TRUE (3.33/4 claims verified)

The Ultimate Irony: GitHub Runs on Azure

Here's the beautiful, brain-melting irony that makes this whole analysis chef's kiss:

GitHub runs on Azure.

Microsoft bought GitHub in 2018 for $7.5 billion. Every single `raw.githubusercontent.com` malware download, every supply chain attack via npm, every poisoned VS Code extension - it's all running on Azure infrastructure.

So to summarize the attacker strategy:

| Their Infrastructure | Our Data Shows | |---------------------|----------------| | C2 servers | 0% on Azure (actively avoided) | | Malware hosting | GitHub (runs on Azure) | | Target | Windows (made by Microsoft) | | Distribution | VS Code Marketplace (runs on Azure) |

They use Azure to attack Azure customers while refusing to run their own operations on Azure.

• "Azure is too secure for my C2 server"

• "But Azure (via GitHub) is perfect for hosting my payloads"

This is like a bank robber refusing to store his getaway car at the police station, but parking it in the police station's public parking lot because it has better security cameras.

The Even Bigger Irony

• Windows: Legacy codebase, massive attack surface, third-party driver vulnerabilities, backwards compatibility requirements = EASY TARGET

• Azure: Modern architecture, zero-trust design, AI-powered threat detection, strict identity verification = HARD TARGET

The attackers figured this out. That's why they: 1. Target Windows endpoints 2. Host on AWS/Cloudflare/VPS 3. Distribute via GitHub 4. Compromise Visual Studio extensions

Sources

Supply Chain Attacks - [Shai-Hulud npm Supply Chain Attack](https://unit42.paloaltonetworks.com/npm-supply-chain-attack/) - Palo Alto Unit 42 - [Shai-Hulud 2.0: 25K+ Repos Exposed](https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack) - Wiz - [CISA Alert: Widespread npm Compromise](https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem) - CISA - [s1ngularity Supply Chain Attack](https://www.wiz.io/blog/s1ngularity-supply-chain-attack) - Wiz

Visual Studio Compromises - [Supply Chain Risk in VS Code Marketplaces](https://www.wiz.io/blog/supply-chain-risk-in-vscode-extension-marketplaces) - Wiz - [GlassWorm Malware Analysis](https://www.securityweek.com/supply-chain-attack-targets-vs-code-extensions-with-glassworm-malware/) - SecurityWeek - [100+ VS Code Extensions Exposed](https://thehackernews.com/2025/10/over-100-vs-code-extensions-exposed.html) - The Hacker News

Raw Data - DugganUSA Threat Intelligence Platform: 4,131 malicious domains analyzed - ThreatFox API: Real-time IOC feeds - URLhaus: Malware URL tracking - Pattern 49: Small Business Brand Weaponization detection

*Patrick Duggan is the founder of DugganUSA LLC and creator of the PreCog Sweep threat intelligence engine. He finds Russian phishing farms before breakfast and is still unemployed.*

Free STIX 2.1 Feed: stix.dugganusa.com

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

"Hackers LOVE Windows. Attackers HATE Azure!" - The Math Behind the Meme

The Controversial Claim

The Receipts: DugganUSA Threat Intelligence Analysis

The DugganUSA Threat Intel Stack - PreCog Sweep Engine: Runs every 10 minutes, hunts novel IOCs - Pattern 49: Small Business Brand Weaponization detection - Pattern 48: AEZA PTR Spoof Farm identification - 94,000+ indicators in our OTX pulses consumed by Microsoft and AT&T