DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Net Sweep: Salt Typhoon Hits Congress, CISA Adds Critical HPE Vuln

Patrick Duggan
Jan 10
3 min read

The Headlines

It's Friday. Let's see what the adversaries have been up to this week.

TL;DR: Salt Typhoon is reading Congressional emails. CISA added a CVSS 10.0 HPE vuln. Ransomware actors are making less money but attacking more. And a 17-year-old PowerPoint vulnerability is being actively exploited in 2026.

Salt Typhoon: Now Reading Congressional Mail

The Chinese state-sponsored threat actor known as Salt Typhoon compromised email systems used by staff members of powerful committees in the US House of Representatives.

House China Committee
Foreign Affairs
Intelligence
Armed Forces

China called the allegations "unfounded speculation" and "disinformation." The FBI has a $10 million bounty out for information on individuals associated with the group.

For context: Salt Typhoon has compromised 200+ companies across 80 countries according to an August 2025 FBI statement. They breached the Army National Guard. They're inside US telecommunications infrastructure so deeply that the government told officials to use end-to-end encrypted messaging.

This isn't a new threat. It's an ongoing compromise.

CISA KEV Updates

CISA added two vulnerabilities to the Known Exploited Vulnerabilities catalog on January 7, 2026:

CVE	Product	CVSS	Deadline
CVE-2025-37164	HPE OneView	10.0	Jan 28
CVE-2009-0556	Microsoft Office PowerPoint	8.8	Jan 28

That's right - a vulnerability from 2009 is being actively exploited. Seventeen years later. If you're running legacy PowerPoint, patch it.

The HPE OneView flaw allows remote unauthenticated users to perform remote code execution. CVSS 10.0. No authentication required. Full compromise.

CVE-2025-14847 (MongoDB "Mongobleed") - deadline January 19
CVE-2026-0625 (D-Link DSL routers) - CVSS 9.3, EOL devices, actively exploited

APT Activity Roundup

Russia: UAC-0184 targeting Ukrainian military via Viber with malicious ZIPs containing LNK files disguised as Word/Excel docs.

Pakistan: APT36 (Transparent Tribe) hitting Indian government and academic institutions with ReadOnly/WriteOnly malware via ZIP attachments disguised as PDFs.

Iran: MuddyWater deployed a new MuddyViper backdoor against Israeli organizations. Infy (Prince of Persia) - one of the oldest APTs dating to 2004 - is back and "still dangerous".

China: DarkSpectre compromised 8.8 million Chrome, Edge, and Firefox users through campaigns including ShadowPanda, Zoom Stealer, and GhostPoster.

Ransomware: More Attacks, Less Money

Ransomware actors made less money in 2025 despite a 47% increase in publicly reported attacks.

DDoS-as-a-Service offerings
Insider recruitment programs
Gig worker exploitation

Recorded Future predicts 2026 will be the first year that new ransomware actors operating outside Russia outnumber those within it. The ecosystem is going global.

CompactInd (US) - hit today by incransom
Oltenia Energy Complex (Romania) - encrypted by Gentlemen group
Sedgwick Government Solutions - TridentLocker claimed Dec 31
Korean Air - Cl0p breach, 30K employee records
Artisans' Bank / VeraBank - 1.35M customers exposed via vendor Marquis Software

Telecom sector attacks up 4x since 2022.

The Numbers

130,125 IOCs indexed
111,999 Oz decisions
2,457 OTX pulses
2,269 blocked IPs

Last update: Today, 17:45 UTC - added new indicators in the 101.198.0.x range.

Free STIX 2.1 feed: analytics.dugganusa.com/api/v1/stix-feed

Bottom Line

Salt Typhoon isn't going away. They're reading Congressional emails while we debate sanctions. A 17-year-old PowerPoint vulnerability is being weaponized. Ransomware groups are adapting to reduced payouts by diversifying their business model.

The threat landscape continues to evolve faster than most organizations can respond. If you're not automating your threat intelligence consumption, you're already behind.

Stay frosty.

Her name is Renee Nicole Good.