Monday Update: Handala Registered New Domains, the FBI Director Is Trending for the Wrong Reasons, and PreCog Is Still Red

# Monday Update: Handala Registered New Domains, the FBI Director Is Trending for the Wrong Reasons, and PreCog Is Still Red

March 30, 2026 — DugganUSA

It's Monday morning. PreCog has been at CRITICAL for six days. The supply chain staging signal hit maximum over the weekend. And Handala is quietly registering new domains while the internet debates the FBI Director's username on a porn site.

Here's what actually matters.

Handala Is Expanding, Not Retreating

Our domain watchdog runs every 30 minutes, checking 17 adversary domains for DNS changes. This morning it caught handala.to bouncing — down at 07:00 UTC, back up at 07:30 on the same parking IP. A DNS blip, not a reboot.

But our manual hunt found something the watchdog wasn't looking for: new TLD registrations.

handala-hack.ws — registered on the .ws (Western Samoa) TLD. Currently parked at Website.ws (64.70.19.203, CenturyLink/Lumen infrastructure). Not serving Handala content yet. Reserved but not activated.

handala.ps — seized. Serving a seizure page from Netim, a French registrar (185.26.106.234, AS24935). This is a DIFFERENT seizure from the FBI's March 20 domain takedown. The .ps TLD is administered by the Palestinian NIC. Separate jurisdiction, separate action.

The current Handala domain map:

The pattern: they lost four domains to FBI seizure, two more went dark (possibly from our RFJ tip or hosting provider action), got one seized separately by French/Palestinian authorities, and responded by registering a new .ws backup while keeping the .ps operational domain alive.

They're not retreating. They're diversifying. Different TLDs, different registrars, different jurisdictions. The .ws registration tells you they're planning for the next seizure before it happens.

The SpiderKash Situation

On Friday, the DOJ confirmed that Iran's Handala breached FBI Director Kash Patel's personal email. The FBI said the data was "historical" — emails from 2010-2022 — and contained "no government information."

Then the internet found his username.

The leaked emails revealed Patel used the handle "SpiderKash" on a Yahoo burner account. Researchers searched for that handle across the internet and found a "SpiderKash" profile on XVideos, a pornography website, created January 5, 2020. Social media went accordingly feral.

Important caveat: vx-underground, the malware research community, publicly questioned the attribution. Same username across platforms does not prove same person. Handala is known to mix genuine compromised data with fabricated or unverifiable claims. That's MOIS doctrine — combine real intelligence with trollbait to maximize confusion and humiliation.

Whether SpiderKash is really Patel's account or planted disinfo, the damage is done. The FBI Director is trending for a username, not for catching the hackers who breached him. The $10 million bounty announcement is buried under memes. Handala achieved more psychological impact with one username than with 200,000 wiped Stryker devices.

That's the point. The Stryker attack was technical. The Lockheed passport dump was operational. The Patel leak is psychological warfare. Each one targets a different layer — infrastructure, personnel, credibility. MOIS doesn't just hack systems. They hack narratives.

PreCog: Day 6 at CRITICAL

Supply chain staging hit maximum (1.0) over the weekend. The trigger: TeamPCP, the threat actor behind the Trivy scanner compromise, the litellm AI router backdoor, and the telnyx WAV steganography attack. They're using ICP blockchain for C2 and Cloudflare tunnels for staging. We indexed 12 TeamPCP IOCs on Sunday.

Infrastructure activation surge remains at maximum. IOC velocity still 7x from Spamhaus. Six days of sustained CRITICAL is not a spike returning to baseline. It's a new baseline.

We also caught a GitHub repo (babka98/horinis) staging five MSI malware installers — 23-day-old account, zero followers, 84MB of malware. It was pushed to again on Saturday. Still live despite our abuse report.

The Perimeter Is Still On Fire

The perimeter trifecta we flagged last week got worse:

40,000 Citrix NetScaler instances are now confirmed exposed online, hosting 173,000 web services. The CVSS 9.3 vulnerability (CVE-2026-3055) is under active reconnaissance — attackers are fingerprinting authentication methods to identify exploitable targets.

F5 BIG-IP APM (CVE-2025-53521, CVSS 9.3) was added to CISA KEV on Friday. Cisco FMC (CVE-2026-20131, CVSS 10.0) continues to be exploited by Interlock ransomware.

Three perimeter devices. Three CVSS 9.0+ vulnerabilities. All actively targeted. All in the same week. During an active cyber war with a formal trilateral pact (Russia-China-Iran).

What We Built This Weekend

While the headlines focused on SpiderKash, we rebuilt the STIX feed from scratch. 11 deployments on Saturday alone:

The STIX feed now includes 11,724 objects: 4,293 IPs, 339 domains (118 onion addresses), 50 malware hashes (33 from the FBI's Handala FLASH alert), and 187 URLs. Every CSV endpoint works. Stripe checkout works for all five pricing tiers. 49-test validation suite — all green.

We also shipped a new product: Behavioral Threat Intelligence. The behavioral-intel API transforms 5.1 million autonomous threat decisions into exportable detection rules — Sigma, Suricata, YARA, Snort, Splunk. The IOC tells you what to block. The behavioral data tells you how they attack, when they attack, and from where.

The STIX feed is free. The behavioral intelligence is $4,999/month. Both are available at analytics.dugganusa.com.

The Week Ahead

A channel partner meeting is scheduled today with a major digital consultancy — assessment delivered. The Chalupa podcast records April 6-7 with 10 dossier folders ready. Trump's Hormuz deadline is also April 6 — if Iran doesn't reopen the strait, the power plants get hit.

Handala is registering new domains. TeamPCP is backdooring AI frameworks. 40,000 NetScaler instances are exposed. And the FBI Director is trending on Twitter because of a username.

PreCog is still red. The watchdog is still watching. The STIX feed is still free.

Defend accordingly.

Patrick Duggan is the founder of DugganUSA LLC. He mapped Handala's new .ws domain this morning, shipped a behavioral intelligence API yesterday, and does not have an XVideos account under any username. The STIX feed is free at analytics.dugganusa.com/stix. PreCog has been red for six days. The aristocrats.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →