DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

MAESTRO: The VMware Zero-Day We Helped Build

Patrick Duggan
Jan 10
3 min read

The Headlines

A sophisticated VM escape toolkit called MAESTRO is making the rounds. Chinese-speaking threat actors. Zero-day exploit chain. Nation-state tradecraft. Full hypervisor compromise from a guest VM.

The security press is doing its thing: The Hacker News, BleepingComputer, Huntress. "Chinese-linked hackers." "Well-resourced developer." "Nation-state level capabilities."

All technically accurate. All missing the point.

The Toolkit

Credit where it's due - Huntress's research is solid. MAESTRO chains three VMware vulnerabilities to achieve what every VM administrator fears: full control of the hypervisor from within a guest.

CVE	CVSS	What
CVE-2025-22226	7.1	HGFS out-of-bounds read - leak VMX memory
CVE-2025-22224	9.3	VMCI TOCTOU - out-of-bounds write, code exec
CVE-2025-22225	8.2	Arbitrary write - escape sandbox to kernel

Four components: MAESTRO orchestrates, MyDriver.sys does the escape, VSOCKpuppet provides the backdoor, GetShell gives you interactive access. Supports 155 ESXi builds from 5.1 through 8.0.

The PDB path contains "全版本逃逸--交付" - "All version escape - delivery." Developed February 2024, a full year before VMware's March 2025 disclosure.

The VSOCK backdoor is particularly nasty - traffic goes through VMware's virtual socket interface, completely invisible to network monitoring. You can't see the C2 because it never touches the network stack.

The IOCs

MAESTRO:      37972a232ac6d8c402ac4531430967c1fd458b74a52d6d1990688d88956791a7
GetShell:     4614346fc1ff74f057d189db45aa7dc25d6e7f3d9b68c287a409a53c86dca25e
VSOCKpuppet:  c3f8da7599468c11782c2332497b9e5013d98a1030034243dfed0cf072469c89
MyDriver.sys: 2bc5d02774ac1778be22cace51f9e35fe7b53378f8d70143bf646b68d2c0f94c

30,000+ ESXi instances still exposed as of January 8, 2026.

The Part Nobody Wants to Talk About

Here's what the attribution theater conveniently skips: we trained them.

For two decades, American tech companies offshored their most sensitive development work. VMware internals. Kernel drivers. Hypervisor code. The deep systems work that requires understanding exactly how memory management, process isolation, and sandbox boundaries function.

Dev shops in Shenzhen. Contractors in Beijing. Cost savings on the quarterly report.

The people who know where the TOCTOU bugs live in VMCI? Some of them learned it on contract work. The expertise to build a 155-build exploit toolkit targeting ESXi 5.1 through 8.0 doesn't come from reverse engineering alone. It comes from intimate familiarity with the codebase.

"Chinese-speaking developer" could just as easily read "former VMware contractor who kept notes."

The simplified Chinese in the PDB paths is real. So are twenty years of Palo Alto purchase orders sending that work overseas.

The Irony

Huntress discovered this toolkit through - wait for it - a compromised SonicWall VPN that was the initial access vector.

The security industry ouroboros:

Sell vulnerable perimeter device
Device gets popped
Incident response finds cool APT toolkit
Publish research, get PR
Sell more detection services
Repeat

SonicWall's CVE count over the last two years reads like a punch card. But good thing the IR team was there to catch what came through the hole.

Not saying the research isn't valuable - it is. The MAESTRO breakdown is legitimately useful intel for defenders. But maybe we could acknowledge that the "sophisticated nation-state toolkit" walked in through a SonicWall.

Detection

For the defenders actually trying to catch this:

# On ESXi hosts - look for VSOCK processes
lsof -a | grep vsock

The firewall trick is clever - after compromise, they isolate the host from external security resources while preserving lateral movement capability.

The Bottom Line

MAESTRO is real. The threat is real. Patch your ESXi instances. Monitor for VSOCK abuse. Take the IOCs seriously.

But the hand-wringing about nation-state capabilities should come with an asterisk. We spent twenty years exporting the knowledge to build these tools, and now we're shocked - shocked - that someone built them.

Attribution is complicated when the supply chain isn't.

Her name is Renee Nicole Good.