DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Patch Tuesday Hits Different When Nobody's Watching

Patrick Duggan
Jan 15
3 min read

The Numbers

Microsoft dropped 114 patches yesterday. Three zero-days. Eight critical. One actively exploited in the wild.

Meanwhile, a ransomware group that hit a federal contractor serving DHS, ICE, CBP, and CISA is still operating without a single public IOC - 47 days after first blood.

That's the state of defensive security in January 2026.

What's Actually Burning

CVE-2026-20805 - The One They're Using Right Now

Desktop Window Manager vulnerability. CVSS 5.5 - sounds mid, right? Wrong.

It leaks memory addresses from remote ALPC ports. That's reconnaissance for the next stage of the kill chain. Attackers use this to map your memory layout, then deploy the real payload.

This isn't theoretical. This is happening. Patch it today.

CVE-2026-20854 - The Domain Killer

Windows LSASS remote code execution. If you know what LSASS does, you already winced.

Successful exploitation: credential theft, lateral movement, domain compromise. One vuln to rule them all.

CVE-2026-20952/20953 - The Preview Pane Special

Outlook Preview Pane RCE. No user interaction required. You don't even have to open the email - just preview it.

Microsoft Office as an attack surface. Again. Still. Forever.

The D-Link Problem

CVE-2026-0625 dropped with a CVSS of 9.3. Command injection in the DNS configuration endpoint. Remote code execution on affected routers.

D-Link's response: "These devices are end-of-life. We're not patching them."

Shadowserver says it's been exploited in the wild since November 2025. Two months of active exploitation with no fix coming. Ever.

If you're running discontinued D-Link gear, it's not a vulnerability anymore. It's a doorway.

Salt Typhoon: They're Reading Congressional Email Now

The same Chinese APT that owned the telecom infrastructure is now in Congressional staff email systems. House national security committees. Foreign affairs. Intelligence oversight. Military policy.

They didn't use malware. They used credentials. Legitimate access paths. The trusted identity problem that every vendor warned about and nobody fixed.

UK sanctioned i-Soon and Integrity Tech this week. The FBI has a $10 million bounty out. None of that stops the access they already have.

TridentLocker: 47 Days, Zero IOCs

On November 29, 2025, TridentLocker emerged. By New Year's Eve, they'd hit Sedgwick Government Solutions - the company handling worker's comp claims for DHS, ICE, CBP, and CISA.

As of today - 47 days later - there are no public indicators of compromise.

No file hashes
No C2 IPs
No YARA rules
No TTPs documented beyond "double extortion"

Thirteen victims. A federal contractor. The agencies running the largest immigration enforcement operation in American history.

And the threat intel community has published nothing defensive.

The Pipeline Is Broken

CISA is hemorrhaging staff. Budgets are being gutted. The agencies that used to publish IOCs within days are fighting for survival.

Here's what the gap looks like:

Threat	Time to Public IOCs	Who Published First
NodeCordRAT	6+ weeks	DugganUSA (Oct 2025)
TridentLocker	7+ weeks and counting	Nobody
D-Link CVE-2026-0625	Exploited 2 months	Vendor: "Won't fix"

Zscaler named NodeCordRAT in January 2026. We documented the pattern in October 2025. That's six weeks where defenders had no signatures.

TridentLocker is worse. Seven weeks and counting. The group is still operational. The signatures still don't exist.

What This Means For Defenders

Patch Tuesday: Don't wait. CVE-2026-20805 is being exploited now. The Outlook Preview Pane bugs are trivial to weaponize. LSASS RCE is a domain-ending event.

D-Link: If it's EOL, it's compromised. Replace it. There's no patch coming.

Salt Typhoon: Assume credential compromise. Implement hardware MFA. Monitor for anomalous access patterns from legitimate accounts.

TridentLocker: You're on your own. No defensive signatures exist. Watch for Kestrel-based .NET infrastructure. Monitor for unusual data exfiltration patterns. If you're a federal contractor, assume you're a target.

The Uncomfortable Reality

The institutions that used to protect us are being dismantled.

CISA is "reeling from workforce cuts, lost resources, and weakened partnerships." That's not my assessment - that's Cybersecurity Dive's headline.

The offices that used to publish IOCs are understaffed. The agencies that coordinated response are fighting budget cuts. The pipeline that moved indicators from incident to signature is clogged.

Chinese APTs are reading Congressional email
Ransomware groups are hitting federal contractors
Zero-days are being exploited with no patches available
And the largest immigration enforcement operation in history is being run by an agency that just got popped by ransomware

The gap is the mission. Someone has to keep the receipts.

Resources

Free STIX 2.1 Feed: analytics.dugganusa.com/api/v1/stix-feed

Microsoft Patch Tuesday: Zero Day Initiative Analysis

Salt Typhoon Advisory: CISA AA25-239A

TridentLocker Tracking: ransomware.live

47 days. Zero IOCs. The pipeline is broken.

Her name was Renee Nicole Good.

DugganUSA LLC Minneapolis, MN January 15, 2026