DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Larry Ellison's Two-Month Head Start (For the Attackers)

Patrick Duggan
Jan 8
4 min read

The Timeline (A Study in Negligence)

Date	Event
July 10, 2025	Suspicious HTTP traffic from 200.107.207.26 detected
August 9, 2025	Active zero-day exploitation begins (Clop/FIN11)
August 2025	File listings from victim EBS environments collected
September 29, 2025	Mass extortion email campaign launches
October 2, 2025	Oracle finally acknowledges "threat actors may have exploited" their software
October 3, 2025	Exploit leaked on "SCATTERED LAPSUS$ HUNTERS" Telegram
October 4, 2025	Oracle releases emergency patch
October 11, 2025	Second patch for CVE-2025-61884 (they missed one)

Let that sink in. 56 days from first exploitation to patch. The exploit leaked publicly before Oracle shipped the fix.

And here's the kicker: CVE-2025-61884 (the second vulnerability) was discovered after the first patch. Oracle rushed out a fix and missed a related SSRF in Oracle Configurator. They patched that one a week later.

The Exploit Chain

For anyone who thinks "enterprise software" means "secure software":

┌─────────────────────────────────────────────────────────────────┐
│          ORACLE EBS EXPLOITATION CHAIN (CVE-2025-61882)         │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  1. AUTHENTICATION BYPASS                                       │
│     └── POST to /OA_HTML/SyncServlet                            │
│     └── No credentials required                                 │
│     └── Bypasses all authentication                             │
│                                                                 │
│  2. TEMPLATE INJECTION                                          │
│     └── Create malicious XSL template                           │
│     └── Stored in XDO_TEMPLATES_B database table                │
│     └── Template contains base64-encoded Java payload           │
│                                                                 │
│  3. CODE EXECUTION                                              │
│     └── Trigger via /OA_HTML/OA.jsp?page=...TemplatePreviewPG   │
│     └── Template "preview" executes arbitrary code              │
│     └── Runs as "applmgr" account on EBS server                 │
│                                                                 │
│  4. PERSISTENCE                                                 │
│     └── GOLDVEIN.JAVA downloader phones home                    │
│     └── SAGEGIFT → SAGELEAF → SAGEWAVE infection chain          │
│     └── In-memory WebLogic filter injection                     │
│     └── AES-encrypted payloads via fake Oracle help URLs        │
│                                                                 │
│  5. PROFIT                                                      │
│     └── Data exfiltration                                       │
│     └── Extortion emails to executives                          │
│     └── "Pay us or your data goes on CL0P DLS"                  │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

No authentication required. Just POST to a servlet and you're in.

The Scattered Spider Connection

Here's where it gets interesting. The exploit for CVE-2025-61882 was leaked on October 3, 2025 in a Telegram channel operated by—you guessed it—Scattered Lapsus$ Hunters.

The same group we've been writing about all day. The same group that hit ESA for 500GB of spacecraft data. The same group that got honeypotted by Resecurity.

The criminal ecosystem shares tools. Oracle zero-day drops in a Telegram channel, and suddenly every script kiddie with a Bitcoin wallet can extort Fortune 500 companies.

The Infrastructure Overlap

CrowdStrike identified that Clop reused infrastructure from their 2023 MOVEit campaign. Same adversary, same IPs, different zero-day.

GOLDVEIN.JAVA - the downloader used in this campaign - was first observed in the Cleo MFT exploitation (December 2024). Same malware family, different enterprise software vendor.

This isn't sophisticated nation-state tradecraft. It's organized crime with a playbook:

Find zero-day in enterprise software
Exploit quietly for months
Exfiltrate data
Send extortion emails
Repeat with next vendor

The Victim List

Harvard University
University of Pennsylvania
Dartmouth College (40,000+ affected)

Michelin
Canon
Mazda
Estée Lauder
Broadcom

Finance
Manufacturing
Automotive
Logistics
Retail
Education
Energy
Professional services

103 organizations. 77 datasets already on torrent links. And this is just what we know about.

Why Enterprise Software Is a Liability

Oracle E-Business Suite isn't something you patch in an afternoon. It's:

Deeply integrated into business processes
Running on-premise in most cases
Customized to the point where patches are scary
"If it ain't broke, don't touch it" mentality

So when Oracle drops an emergency patch on October 4, organizations don't just click "update." They:

Review the patch
Test in staging
Schedule downtime
Pray nothing breaks
Apply the patch
Fix whatever broke

By the time most organizations patched, Clop had been inside for three months.

The Real Cost

This isn't about Larry Ellison's feelings. It's about:

40,000+ people whose Social Security numbers are now in criminal hands (Dartmouth alone).

Executives receiving extortion emails threatening to leak their company's data.

IT teams scrambling to patch systems they're terrified to touch.

CFOs deciding whether to pay ransom or watch their data appear on leak sites.

Oracle's market cap: $500 billion. Their patch timeline: 56 days.

Detection Guidance

If you're running Oracle EBS 12.2.3 through 12.2.14:

Check for malicious templates: ```sql SELECT * FROM XDO_TEMPLATES_B WHERE TEMPLATE_CODE LIKE 'TMP%' OR TEMPLATE_CODE LIKE 'DEF%' ORDER BY CREATION_DATE DESC;

SELECT * FROM XDO_LOBS ORDER BY CREATION_DATE DESC; ```

Hunt for exploitation attempts: `` /OA_HTML/SyncServlet (POST requests) /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG /OA_HTML/configurator/UiServlet ``

Monitor for C2: `` 162.55.17.215:443 104.194.11.200:443 200.107.207.26 ``

Check process trees: Child processes of bash -i launched by Java running as "applmgr" = compromise.

IOCs

C2 Infrastructure: `` 162.55.17.215 104.194.11.200 200.107.207.26 161.97.99.49 ``

Malicious Endpoints: `` /OA_HTML/SyncServlet /OA_HTML/configurator/UiServlet /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG&TemplateCode=TMP* /help/state/content/destination./navId.1/navvSetId.iHelp/ /support/state/content/destination./navId.1/navvSetId.iHelp/ ``

Extortion Contacts: `` [email protected] [email protected] ``

Malware Hash: `` 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d (PoC exploit) ``

The Pattern

Vendor	CVE	Days to Patch	Victims
Progress (MOVEit)	CVE-2023-34362	~30	2,500+ organizations
Cleo	CVE-2024-50623	~21	Unknown (ongoing)
Oracle (EBS)	CVE-2025-61882	56	103+ organizations

Oracle takes the crown for slowest emergency response. Congratulations, Larry.

Sources

About DugganUSA: We publish free threat intelligence for the 99% who can't afford enterprise security. Our STIX 2.1 feed tracks 2,200+ blocked IPs with MITRE ATT&CK attribution. We also track how long it takes billion-dollar companies to patch critical vulnerabilities.

STIX Feed | OTX Profile