DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

MLK Day Threat Sweep: The Arc of Cybersecurity is Long

Patrick Duggan
Jan 19
3 min read

CISA Deadline: MongoBleed is Due TODAY

CVE-2025-14847 (CVSS 8.7) - The "MongoBleed" vulnerability affecting MongoDB Server hit its CISA Known Exploited Vulnerabilities deadline today. Over 87,000 potentially vulnerable instances have been identified worldwide.

If you're running MongoDB and haven't patched, your holiday just got interrupted. Federal agencies were mandated to fix this by January 19—that's yesterday. The rest of us should treat this as equally urgent.

Salt Typhoon: Still in the Walls

The FBI has officially called Salt Typhoon's telecommunications breach "the most egregious national security breach in U.S. history by a nation-state hacking group." That's not hyperbole from a security vendor trying to sell you something—that's the FBI.

New this month: Congressional emails compromised. House national security committee staff were targeted in activity detected in December. The breach appears to have originated from Salt Typhoon infrastructure.

The uncomfortable truth that security experts are now acknowledging publicly: many U.S. telecommunications firms may never fully evict these actors from their networks. "A house full of open windows," as CyberScoop put it.

HPE OneView Under Active Attack

CVE-2025-37164 scored a perfect 10.0 CVSS. Check Point tracked 40,000+ attack attempts in a single morning (January 7, between 05:45 and 09:20 UTC) delivering the RondoDox botnet.

If you're running HPE OneView, you needed to patch this two weeks ago. If you haven't, you're likely already compromised.

Supply Chain: The Worms are Learning

The Shai-Hulud campaign (yes, named after the Dune sandworms) represents an evolution in supply chain attacks:

2,349 credentials harvested from 1,079 developer systems
581 GitHub Personal Access Tokens stolen
True worm behavior: infects packages during CI/CD builds and spreads automatically

This isn't spray-and-pray typosquatting anymore. These are targeted, credential-enabled, self-propagating attacks on the software supply chain. The attackers got initial access by phishing maintainers of chalk and debug—npm packages with billions of aggregate weekly downloads.

Your action item: Enable phishing-resistant MFA on all package registry accounts. Use trusted publishing instead of long-lived tokens. Set expiration dates on every token.

What We're Blocking

Our honeypot caught a cluster of IPs from Beijing Qihu Technology (360.cn) in the 101.198.0.x range over the past 24 hours:

IP	AbuseScore	VT Detections	MITRE
101.198.0.133	100	3	T1190
101.198.0.135	100	4	T1190
101.198.0.140	99	1	T1190
101.198.0.141	100	3	T1190

All attempting web application exploitation (T1190 - Exploit Public-Facing Application). These are now in our STIX feed and blocked at the edge.

The Ransomware Beat

Two former cybersecurity professionals—Ryan Goldberg and Kevin Martin—pleaded guilty this month to serving as BlackCat/Alphv ransomware affiliates. They face up to 20 years in prison, with sentencing scheduled for March 12.

Meanwhile, the ransomware economy continues to grow: 8,000+ organizations claimed as victims in 2025, up from 6,000 the previous year. The most active groups: Qilin, Akira, Cl0p, Play, and SafePay.

Recent notable victims include Dartmouth College (40,000 people's SSNs exposed via Cl0p) and Brightspeed (1 million customers allegedly compromised).

From Minnesota

It's -17°C here in Minneapolis. The kind of cold where your nose hairs freeze when you step outside. The kind of cold that reminds you why firewalls matter—because some things need to stay out.

Dr. King's legacy isn't just about dreaming. It's about doing the work. Showing up. Staying vigilant. The threats don't take holidays, so neither does the watch.

Stay warm. Stay patched. Stay skeptical.

Patrick Duggan is the founder of DugganUSA LLC, a Minnesota-based threat intelligence company. The STIX feed mentioned in this article is available free at [analytics.dugganusa.com/api/v1/stix-feed](https://analytics.dugganusa.com/api/v1/stix-feed).

Her name is Renee Nicole Good.