DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Pattern 43: The Password is in the Filename

Patrick Duggan
Nov 26, 2025
3 min read

How Russian Malware Distributors Defeat Automated Scanning

Soundtrack

Today I discovered a new malware distribution pattern on GitHub. It's different enough from Pattern 38 (the Stealc/Rhadamanthys campaign we've been tracking) that it deserves its own number: Pattern 43.

The Discovery

While hunting for new threats beyond our Pattern 38 network, I searched GitHub for recent issues with suspicious file attachments. One result stood out:

Repository: skarleta-coder/Maj_Cheker_V1.0.exe
Issue Title: https://github.com/user-attachments/files/23686035/Maj_proverka.zip

The issue title is literally a download URL. That's not normal.

The Account

| Attribute | Value | |-----------|-------| | Username | skarleta-coder | | Created | November 15, 2025 (11 days ago) | | Repos | 3 | | Followers | 0 |

Brand new account. Zero social proof. Repository name includes `.exe`. Classic malware distribution profile.

The Payload

Downloaded the ZIP. Here's what was inside:

Archive:  Maj_proverka.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       14  11-22-2025 03:57   PASSWORD: 9295
  3292160  11-22-2025 03:57   Majproverka.exe

The password is stored as a filename inside the ZIP.

This is genius (evil genius, but still). Here's why:

1. Defeats automated scanning - VirusTotal can't extract password-protected ZIPs automatically 2. Human-readable - Victim sees "PASSWORD: 9295" and knows exactly what to type 3. No external communication - Password doesn't need to be sent via Telegram/Discord

The Malware

Extracted with password `9295`:

File: Majproverka.exe
Size: 3,292,160 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
Packer: UPX compressed
SHA256: 4ac33e95d7d1bf205c8bd021886a8edc5d405d65389edb3b0c65d62c12ace47d

VirusTotal Status: NOT IN DATABASE

This is a fresh sample. Never submitted. The password protection worked - automated systems never saw the actual executable.

Why This is Pattern 43 (Not Pattern 38)

| TTP | Pattern 38 | Pattern 43 | |-----|------------|------------| | Distribution | Issue comment spam | Dedicated malware repos | | ZIP Protection | None | Password (in filename) | | VT Detections | 18-29 (known) | 0 (fresh) | | Naming | English | Russian ("proverka" = verification) | | Target | Legitimate repos | Self-hosted repos |

Different operator. Different technique. Same goal: steal your credentials.

The Judge Dredd Response

We posted a warning directly on the malware repository:

> SECURITY ALERT: This repository distributes malware > > SHA256: `4ac33e95d7d1bf205c8bd021886a8edc5d405d65389edb3b0c65d62c12ace47d` > Type: PE32 executable (GUI), UPX compressed > Evasion: Password-protected ZIP (password: 9295)

Link: https://github.com/skarleta-coder/Maj_Cheker_V1.0.exe/issues/4

Yes, we opened an issue on a malware repository to warn potential victims. Purple team action.

The Network

While investigating, we also found:

• Reavy8 - Another new account (5 days old) distributing `DLL-Injector-With-Driver`

• chrisj21 - Follow-bot with 32,108 following and only 1 repository (supports Pattern 38 infrastructure)

All reported to GitHub Security.

Detection Signature

• Repository name contains `.exe`

• Account less than 30 days old

• Zero followers

• ZIP files with "PASSWORD" in internal filenames

• Russian naming conventions (proverka, loader, checker)

We've added Pattern 43 detection to our automated scanner. It's now running in production.

IOCs

# Pattern 43 - Russian Password-Protected Malware

The Lesson

Password-protected ZIPs with the password in the filename. It's so simple it's embarrassing that it works.

Automated scanning looks at the ZIP, sees it's encrypted, moves on. Human victim opens the ZIP, sees the password file, extracts the malware, runs it.

The attackers are adapting. Pattern 38 got 4 accounts suspended, so they're trying new techniques. Password protection defeats the automated defenses that caught them last time.

We adapt too.

STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Pattern 43 IOCs are now in the feed. Free for everyone.

*"The password is in the filename. The call is coming from inside the house."*

DugganUSA LLC November 26, 2025