DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Return of the ANUSFRAGGER: Closing the China Cycle

Patrick Duggan
Dec 12, 2025
3 min read

--- title: "Return of the ANUSFRAGGER: Closing the China Cycle" date: 2025-12-12 author: Patrick Duggan tags: [pattern-38, china, anusfragger, threat-intelligence, metal, victory-lap] category: Hall of Shame featured: true ---

The Soundtrack

The Saga

It started November 23, 2025.

A GitHub account called `FireSuper` responded to a brand new issue on CleansheetLLC in 45 seconds. Not 45 minutes. Forty-five seconds. With a ZIP file and the message "This should be the fix."

No human can read an issue, understand the problem, create a fix, zip it, upload it, and post a comment in 45 seconds. This was automation. This was Pattern 38.

We caught it. We documented it. We thought it was an isolated incident.

Then we found `anuxagfr`.

The ANUSFRAGGER

While investigating FireSuper, we discovered another sleeper account that had activated the same day: `anuxagfr`.

This one didn't hit one repo. It hit thirteen. In nineteen minutes.

• `microsoft/vscode` (136M downloads/month)

• `GrapheneOS/os-issue-tracker` (privacy-focused Android)

• `terraform-ibm-modules` (IBM cloud infrastructure)

• And ten more

Same pattern. Same 104-day dormancy. Same AI-generated bio. Same "This should solve the problem" messages with malware ZIPs.

But the username... the username was special.

The Decode

| Layer | Interpretation | |-------|----------------| | Cover Story | ANUX (Linux/Unix variant) + AGFR (AggreGate Flexible Driver - ICS/SCADA software) | | Target Profile | Industrial control systems developers | | Actual Meaning | ANUSFRAGGER |

They left a crude insider joke in their attack infrastructure. A cultural signature. A calling card that said "we know you'll find this eventually, and we think it's funny."

We found it. We didn't think it was funny. We thought it was *useful*.

The Pattern Emerges

After ANUSFRAGGER, we started seeing the whole picture:

| Account | Status | Attack Style | |---------|--------|--------------| | FireSuper | ✅ SUSPENDED | 45-second bot, single target | | anuxagfr (ANUSFRAGGER) | ✅ SUSPENDED | Mass attack, 13 repos in 19 min | | rampubg14-cmyk | ✅ SUSPENDED | Sleeper account | | nicaborin | ✅ SUSPENDED | Early malware distributor | | winchmrsmilegodsgf | ✅ SUSPENDED | MrSmile malware family | | zhu-bie | ✅ SUSPENDED | 3 crack repos in 3 days |

Six accounts. All suspended. All Chinese operational patterns.

Then Came the Watchers

December 5-12, 2025. Seven days of unusual traffic.

289 requests from 46 unique IPs. All Huawei Cloud (AS136907). All reading our Chinese APT blog posts. All consuming the STIX feed that burns their operations.

They weren't customers. They were countersurveillance.

• 20 servers in Singapore

• 20 servers in Mexico City (latency optimization for Minnesota surveillance, how thoughtful)

• 6 servers in Hong Kong

• `www.hwawei.com` - Huawei typosquat, updated 9 days before we caught them

• `mail003.cissp.or.id` - Fake CISSP certification phishing domain

We blocked all 46.

The Scorecard

China Cycle: Final Stats

| Metric | Value | |--------|-------| | Sleeper accounts identified | 6 | | Sleeper accounts suspended | 6 (100%) | | Repos protected | 13+ | | Downloads protected | 136M+ (VSCode alone) | | Surveillance IPs blocked | 46 | | Surveillance requests denied | 289 | | Typosquat domains exposed | 2 | | APT connections documented | TA459 |

What They Taught Us

1. 45 seconds is impossible - Timing analysis reveals automation 2. Dormancy has patterns - 100-160 day sleeper periods 3. Usernames contain signatures - ANUSFRAGGER, MrSmile, cultural markers 4. Geographic distribution is tradecraft - Mexico City ≠ random 5. They read what they fear - Every Chinese APT post got Huawei hits 6. The STIX feed works - They wanted it because it burns them

Thank You, ANUSFRAGGER

Seriously.

• Pattern 38 fully documented

• Pattern 38.5 (cultural signatures) developed

• Automated detection deployed

• 2M+ open source users protected

• A STIX feed that Chinese state actors desperately want to read

You taught us everything. You made us better. You got suspended.

This metal track is for you.

What's Next

The China cycle is closed. Six sleepers suspended. 46 surveillance IPs blocked. Patterns documented.

• 🇷🇺 Russian password-protected malware (skarleta-coder)

• 🇮🇳 Indian Microsoft phishing (pandit777)

• 🇵🇰 Pakistani game crack spam (pkmuhammabdullah675-a11y)

• 🌐 Global brand impersonation (Nero-Burning-Rom-Software)

The rat farms are international. The hunt continues.

• Malware accounts identified: 11

• Successfully suspended: 6 (54%)

• Pending GitHub action: 5

• IOCs contributed to OTX: 220,000+

References

• [Pattern 38: GitHub Supply Chain Sleeper Accounts](/blog/pattern-38-github-supply-chain-sleeper-accounts)

• [We Found Their Server: Pattern 38 C2 Infrastructure Exposed](/blog/we-found-their-server-pattern-38-c2-infrastructure-exposed)

• [Dear Huawei Cloud: Thanks for the 289 Requests](/blog/dear-huawei-cloud-thanks-for-the-289-requests)

• [DugganUSA STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed)

• [OTX Profile: pduggusa](https://otx.alienvault.com/user/pduggusa)

*"I am the Law."* - Judge Dredd

*"ANUSFRAGGER!"* - The Song

The China Cycle: November 23 - December 12, 2025. Nineteen days. Six suspensions. 46 blocks. One metal anthem.

🤘

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]