DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

How Malware Authors Hunt Your Employees' Children on GitHub

Patrick Duggan
Jan 22
4 min read

The Kill Chain

Stage 1: Infrastructure Setup (April 2025)

A threat actor creates GitHub accounts in batches. We found 10 accounts created over 5 weeks, some just minutes apart:

Date	Account	Time	Gap
Apr 2	bickchampions0229	21:12:51
Apr 2	stepastepan5603	21:21:30	9 min
Apr 3	kiddoapln	13:26:38
Apr 3	bloodharvest7680	13:33:15	7 min

The 7-9 minute gaps between account pairs indicate a single operator working through a checklist. Each account has zero followers, no bio, and exactly one purpose: distribute malware.

Stage 2: The Bait (Game Cheats)

Each account hosts a repository with an AI-generated name designed to sound legitimate:

CosmicHaven
NebulaSpark
MysticWave
PhantomLynx
CelestialX
LunarScript
OrionHub

The repositories promise "Roblox Executors" - tools that let players run custom scripts in Roblox games. The target demographic: children ages 8-16.

Stage 3: Social Engineering (Trust Badges)

Every repository uses identical fake trust indicators:

![Trusted](https://img.shields.io/badge/Trusted-100%25-green)
![Safe](https://img.shields.io/badge/Safe-NoVirus-blue)
![Downloads](https://img.shields.io/badge/Downloads-1M+-brightgreen)

These badges are lies. They're static images, not verified metrics. But to a 12-year-old searching "free roblox executor 2025," they look authoritative.

"Lightning-fast execution"
"Advanced anti-ban protection"
"No malware, no hidden threats"

Stage 4: Centralized Payload Delivery

Here's where it gets interesting. All 10 repositories link to the same MediaFire folder:

app.mediafire.com/hyewxkvve9m42

Different accounts. Different repo names. One payload server. This is efficient malware-as-a-service infrastructure.

Stage 5: The Payload

The downloaded "executor" contains an infostealer. Based on similar campaigns, these typically harvest:

Browser saved passwords (including your corporate SSO)
Discord tokens (access to private servers, DMs)
Cryptocurrency wallets
Session cookies (bypass MFA)
Screenshots and keystrokes

Stage 6: Credential Markets (72 Hours Later)

Stolen credentials appear on markets like Russian Market, Genesis, and 2easy within 72 hours. Your employee's child downloaded a "Roblox hack." Three days later, an Initial Access Broker is selling:

Mom's work VPN credentials
Dad's Microsoft 365 session cookie
The family's banking passwords

Your enterprise compromise started with a game cheat.

The Fortnite Variant

We found a parallel campaign targeting Fortnite players with the same pattern:

Account	Created	Repo Created	Delta
Keeithh	16:03:16	16:09:44	6 min
mlikodnex	12:19:37	12:21:33	2 min

This campaign uses KeyAuth - a licensing system that lets malware authors monetize infections. The operator tracks how many machines are compromised and can push updates to the malware remotely.

The download link (goo.su/beVuS) uses a URL shortener to evade content filters. By the time your school's web filter updates its blocklist, they've rotated to a new shortener.

Why GitHub?

GitHub is trusted. It's where developers work. It's not blocked by most corporate and school firewalls.

When a child searches Google for "roblox executor github 2025," these repositories appear. GitHub's SEO authority makes malware discoverable. The professional README format makes it look legitimate.

The threat actors know this. That's why they're here instead of on sketchy download sites that would trigger every content filter.

What CISOs Need to Know

Your Employees' Home Networks Are Attack Vectors

Remote work means corporate credentials exist on home computers. Those computers are shared with children. Those children are being actively targeted by sophisticated threat actors.

This isn't hypothetical. The campaign we documented has been running since April 2025. The accounts are still active. The MediaFire folder is still live. Kids are downloading this right now.

The Infection-to-Compromise Timeline Is Short

Hour	Event
0	Child downloads "Roblox executor"
0.5	Infostealer harvests all browser credentials
1	Credentials exfiltrated to C2
24	Credentials packaged for sale
72	Your corporate credentials on Russian Market
96	Initial Access Broker sells access to ransomware affiliate

MFA Doesn't Fully Protect You

Modern infostealers capture session cookies, not just passwords. A stolen cookie bypasses MFA entirely. The attacker is already authenticated.

What CTOs Need to Know

This Is a Supply Chain Problem

Your developers use GitHub daily. Your security team trusts GitHub. But GitHub hosts malware that targets your employees' families, and those compromised home systems become your breach.

Detection Is Difficult

The malware doesn't run on your corporate network. The infection happens on a personal device. The first indication is often an impossible travel alert when someone logs in from Eastern Europe using a stolen session cookie.

The Economics Favor the Attacker

Creating 10 GitHub accounts costs nothing. Hosting payloads on MediaFire is free. The SEO benefits of GitHub are free. A single successful infection can yield credentials worth thousands on the black market.

Defensive Recommendations

For Security Teams

Monitor for impossible travel on corporate accounts - Session cookies stolen at home get used from attacker infrastructure
Implement conditional access policies - Require managed devices for sensitive applications
Deploy browser-based credential protection - Tools that detect when credentials are being harvested
Brief employees on home computer hygiene - Especially those with children

For IT Departments

Block MediaFire and similar file-sharing sites on managed devices
Consider DNS-level filtering that follows users home - Services like Cisco Umbrella or Cloudflare Gateway
Deploy endpoint protection that covers personal devices - Some enterprise licenses include family coverage

For Parents (Share This With Your Employees)

Game cheats are malware - If your child is downloading "hacks" or "executors," their computer is compromised
GitHub is not automatically safe - Professional appearance doesn't mean professional software
Watch for these warning signs:

The IOCs

MediaFire Distribution Point: `` app.mediafire.com/hyewxkvve9m42 ``

kiddoapln/CosmicHaven
bloodharvest7680/NebulaSpark
numb69foolyou/MysticWave
bowtonimantana4/PhantomLynx
lumlumsspear/CelestialX
stepastepan5603/LunarScript
bickchampions0229/OrionHub
zevsroybendit/v10-Rlox-Exec-Utility
rexbrewinfiniti3/v5-Roblox-Execution-Engine
crossship337/v1-Roblox-Hack-Suite

Keeithh/fortnite-cheat
mlikodnex/fortnite-cheats-free
Erorl/Fortnite-External-Updatet

URL Shortener: `` goo.su/beVuS ``

The Bottom Line

Your perimeter security is irrelevant when the attack surface is your employee's 13-year-old looking for Roblox cheats.

This campaign has been running for 9 months. The accounts are still active. The payloads are still being served. And somewhere right now, a child is compromising their family's digital life because a fake "Trusted 100%" badge told them it was safe.

Security isn't just about your network. It's about the networks that touch your network. And those include every home where your employees work.

The threat actors understand this. Do you?

DugganUSA discovered this campaign on January 22, 2026. IOCs are available in STIX format at analytics.dugganusa.com/api/v1/stix-feed. We've reported all accounts to GitHub Security.

If you're a CISO dealing with a credential compromise that might trace back to a home computer infection, contact [email protected]. We can help you trace the kill chain.

Her name is Renee Nicole Good.