DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

One Account Starred Both Tools. That's How We Found the Network.

Patrick Duggan
Dec 19, 2025
4 min read

--- title: "Follow the Followers: We Found the GitHub Hydra Factory Minting Discord Stealers" slug: github-hydra-factory-discord-stealer-network date: 2025-12-19 author: Patrick Duggan tags: [threat-intelligence, github, discord, malware, supply-chain, osint, pattern-38] category: Threat Intelligence featured: true story_density_target: 120.9 ---

December 19, 2025, 11:58 PM CST - Two hours after publishing our Mintlify correlation post, I'm following a hunch. If attackers are weaponizing the Discord XSS disclosure with phishing infrastructure, where's the tooling coming from?

I search GitHub for "discord token grabber" sorted by update time.

Three repos updated TODAY. December 19th. While I'm writing this.

Then I follow the followers. And find the hydra factory.

The Search That Started It

curl "https://api.github.com/search/repositories?q=discord+token+grabber&sort=updated"

• `RamenMaster69/Panther-Stealer` - updated 16:12 UTC

• `monarchical-runner473/Discord-Token-Grabber` - updated 16:07 UTC

• `emirhan20032003/discord-token-grabber` - updated 16:06 UTC

Active development. Right now. While Discord users are getting phished via `discord.flawing.top`.

But the real find was deeper.

phantom-stealer: The Go-Based Credential Harvester

Repository: `1rhino2/phantom-stealer` Stars: 15 | Forks: 4 Language: Go Updated: December 18, 2025

• Browser password extraction

• Crypto wallet theft

• Discord token grabbing

• Anti-analysis evasion techniques

Topics: `stealer`, `password-stealer`, `discord-token-grabber`, `malware`, `infostealer`

• `MBRWIPER` - Disk wiping malware

• `FakeCaptcha-main` - Social engineering tool

• `RhinoC2` - Command and control framework

• `RhinoWAF` - 48 stars, legitimate security tool (cover?)

But the stargazers list is where it gets interesting.

The Stargazers: A Who's Who of Malware Dev

I pulled the 15 accounts that starred phantom-stealer:

krevan76, LimerBoy, chennqqi, ipfans, muneebwanee, BHS404,
MRX8001, w3ltyyy, reversdev, userx-54, DistilledExcess,
ogkae, thepcholka, NecoArcCoder, UuF4bY

LimerBoy caught my eye. "Imperator Vladimir" from Ukraine.

• `Soviet-Thief` - Yandex browser password/credit card stealer (21 stars)

• `BadUSB_Downloader` - DigiSpark/RubberDucky payload delivery

• `SteamTokenDump` - Steam credential theft

• `AntiCrack-DotNet` - Anti-debugging/Anti-VM evasion

Bio: "Deus Vult"

But chennqqi was the real find.

chennqqi: The Nexus Account

Profile: https://github.com/chennqqi Repos: 1,726 public repositories Followers: 235 | Following: 477 Created: July 23, 2013

That's not a developer. That's an aggregator. Nobody maintains 1,726 repos. They're forking and collecting.

I checked what else chennqqi starred:

curl "https://api.github.com/users/chennqqi/starred?per_page=10"

• `IAmAntimalware` - Inject code into AV processes

• `DefenderWrite` - Write arbitrary files into AV folders

• `wx_key` - WeChat 4.0 database/image key stealer

• `VPGATHER` - User-mode memory fault detection (anti-debug)

Then I cross-referenced.

The Intersection: One Account, Two Tools

comm -12 \
  <(curl -s ".../phantom-stealer/stargazers" | jq -r '.[].login' | sort) \
  <(curl -s ".../IAmAntimalware/stargazers" | jq -r '.[].login' | sort)

Result: `chennqqi`

One account starred both the Discord token stealer AND the AV bypass tool.

That's not coincidence. That's operational infrastructure collection.

IAmAntimalware: The AV Bypass Factory

Repository: `TwoSevenOneT/IAmAntimalware` Description: "This tool helps inject code into the processes of Antivirus programs" Stars: 78 | Forks: 15 Created: October 11, 2025

The author claims to be a "Security Researcher at ZeroSalarium.com" - a blog about EDR evasion.

Also maintains `DefenderWrite` - "Finding and abusing whitelisted programs to allow arbitrary file writing into the executable folder of Antivirus software"

78 people starred a tool for injecting code into antivirus processes. I pulled their usernames:

0xDemonCall, d0gkiller87, SantaLaMuerte, Cyberlobtomy,
ghoulsec, outmansec, wh6amiGit...

These aren't security researchers. These are operators.

The Network Visualization

mermaid
graph TD
    subgraph "NEXUS"
        CHENNQQI["chennqqi<br/>1,726 repos | 2013<br/>⚠️ AGGREGATOR"]
    end

subgraph "Developers" LIMERBOY["LimerBoy 'Imperator Vladimir' Ukraine"] RHINO["1rhino2 phantom-stealer"] TWOSEVEN["TwoSevenOneT ZeroSalarium"] end

subgraph "Tools" PHANTOM["phantom-stealer Discord grabber"] SOVIET["Soviet-Thief Yandex stealer"] IAMAV["IAmAntimalware AV injection"] end

subgraph "Dec 2025 Forks" F1["BabelQwerty - Dec 17"] F2["alhosane - Dec 11"] F3["x2x2x2xxxx2x2x2 - Dec 10"] end

subgraph "Downstream" PHISH["discord.flawing.top 101 IOCs"] end

style CHENNQQI fill:#ff0000,color:#fff style PHISH fill:#ff6600,color:#fff ```

The Timeline

| Date | Event | |------|-------| | Nov 9, 2025 | Mintlify XSS disclosed by @hackermondev | | Dec 10, 2025 | phantom-stealer forked by x2x2x2xxxx2x2x2 | | Dec 11, 2025 | phantom-stealer forked by alhosane | | Dec 17, 2025 | phantom-stealer forked by BabelQwerty | | Dec 17, 2025 | discord.flawing.top phishing captured | | Dec 18, 2025 | vercel.app phishing captured | | Dec 19, 2025 | 3 Discord token grabbers updated on GitHub | | Dec 19, 2025 | DugganUSA identifies network via "follow the followers" |

38 days from disclosure to active phishing campaign.

9 days of accelerating fork activity on stealer tools.

Same day - token grabbers being updated while phishing domains are live.

What This Means

The Supply Chain

1. Developers create stealer/bypass tools (LimerBoy, 1rhino2, TwoSevenOneT) 2. Aggregators collect and curate (chennqqi with 1,726 repos) 3. Operators fork and deploy (BabelQwerty, alhosane, x2x2x2xxxx2x2x2) 4. Infrastructure gets stood up (discord.flawing.top) 5. Victims get phished (Discord users clicking fake blog links)

The Pattern

This is Pattern 38 again - the same supply chain attack pattern we documented in November with the GitHub follow-farm network.

Same aggregator behavior. Same fork-and-deploy pattern. Same timing correlation with public disclosures.

chennqqi appeared in BOTH investigations.

Reported to GitHub

• 5 accounts flagged for review

• 5 repositories violating ToS

• Network diagram with connections

• IOC correlation to active phishing

• Evidence queries for verification

Report saved: `compliance/evidence/github-reports/discord-stealer-network-2025-12-19.md`

The Query That Found It All

# Start with the tool
curl "https://api.github.com/search/repositories?q=discord+token+grabber&sort=updated"

Total API calls: ~15 Time to identify network: 45 minutes Cost: $0

The Evidence Is Public

Discord phishing IOCs: ```bash curl "https://analytics.dugganusa.com/api/v1/search?q=discord.flawing.top" ```

Vercel abuse IOCs: ```bash curl "https://analytics.dugganusa.com/api/v1/search?q=vercel.app+phishing" ```

Full STIX feed: ```bash curl "https://analytics.dugganusa.com/api/v1/stix-feed" ```

The Lesson

"Follow the followers" isn't just a social media strategy. It's threat intelligence methodology.

• @hackermondev found the vulnerability

• We found the downstream phishing (121 IOCs)

• Following the GitHub stargazers found the tooling supply chain

• Cross-referencing found the nexus account

One degree of separation between a Discord token stealer and an AV bypass tool. Same account starred both.

That's how you find the hydra factory.

*This post is Part 2 of the Mintlify correlation series. Part 1: We Watched Hackers Weaponize the Mintlify XSS in Real-Time*

*All evidence is queryable via our free API. Report submitted to GitHub security. Come at us with facts, not feelings.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]