DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Huawei Cloud: China's Global Attribution Laundering Network

Patrick Duggan
Dec 24, 2025
2 min read

Category: security

Christmas Eve. The SOC is quiet. Time to expose what we've been seeing.

The Pattern

Over the past 24 hours, our behavioral detection systems blocked 129 IP addresses. Nothing unusual there - we block hundreds daily. But when we analyzed the infrastructure, a pattern emerged that should concern every security professional.

Every single IP traced back to one company: Huawei.

The Geographic Distribution

| Country | Blocked IPs | Huawei ISP Variants | |---------|-------------|---------------------| | Hong Kong | 61 | Huawei-Cloud-HK, Huawei Cloud Hong Kong POP, Huawei HongKong Clouds | | Singapore | 55 | Huawei-Cloud-SG, Huawei Singapore Clouds, HUAWEI INTERNATIONAL PTE. LTD. | | Mexico | 12 | Huawei-Cloud-MX, HUAWEI INTERNATIONAL PTE. LTD. | | China | 1 | Huawei Public Cloud Service |

Read that again. One IP from mainland China. 128 from "neutral" countries.

The Tradecraft

This is textbook attribution laundering:

1. Hong Kong as Staging (61 IPs) - Close to mainland, Chinese jurisdiction, plausible as "just a cloud provider" 2. Singapore as Cover (55 IPs) - Neutral country, major financial hub, "we're just using AWS/Azure/Huawei like everyone else" 3. Mexico as Western Hemisphere Proxy (12 IPs) - Gets around geo-blocking of Asian IPs, different timezone for shift coverage 4. Mainland China (1 IP) - Just enough to maintain "we operate globally" narrative

The ISP Fragmentation

• Huawei-Cloud-SG

• Huawei Singapore Clouds

• Huawei Clouds Singapore

• HUAWEI INTERNATIONAL PTE. LTD.

Same infrastructure. Different strings. Makes correlation harder for defenders relying on exact-match blocklists.

Sample IOCs

• 119.12.174.128

• 119.13.87.195

• 119.13.89.201

• 119.8.234.102

• 101.44.160.187

• 101.44.160.231

• 101.44.161.135

• 110.238.105.111

• 149.232.128.182

• 149.232.128.220

• 149.232.132.25

• 46.250.161.12

What They're Hitting

• TA0043 - Reconnaissance (Active Scanning)

• TA0001 - Initial Access (Exploit Public-Facing Application)

Standard APT playbook. Probe for vulnerabilities on Christmas Eve when skeleton crews are manning the SOCs.

The Uncomfortable Truth

Huawei isn't just a telecom equipment vendor. Their global cloud infrastructure provides Chinese state actors with:

1. Plausible deniability - "It's just cloud customers, we can't control what they do" 2. Geographic diversity - Attack from Singapore, blame it on Singapore 3. Fragmented attribution - Different ISP strings make correlation difficult 4. Jurisdictional arbitrage - Data stored in friendly jurisdictions

Recommendations

1. Block Huawei Cloud ranges - All of them, all countries 2. Don't trust geography - A Singapore IP isn't necessarily Singaporean 3. Correlate ISP variations - "Huawei-Cloud-SG" and "Huawei Singapore Clouds" are the same thing 4. Holiday alerting - They know when you're not watching

Conclusion

One company. Four countries. 129 blocked IPs. One direct from China.

This isn't coincidence. This is infrastructure.

The STIX feed has the IOCs. The pattern is yours to verify.

Merry Christmas from Minnesota.

*All IOCs available via our STIX 2.1 feed at analytics.dugganusa.com/api/v1/stix-feed*

*DugganUSA LLC - Behavioral Threat Detection*

#huawei #attribution #china #atp #threatintel #christmas2025

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]