DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Rhyme of the Anusfragger: When Supply Chain Defense Meets 80's Metal

Patrick Duggan
Nov 24, 2025
5 min read

November 24, 2025 | Pattern #38 Series | Cultural Response

We caught a supply chain attacker. We blocked their C2 server. We published the IOCs. Then we wrote a metal song about them.

Listen: Rhyme of the Anusfragger (80's heavy metal, 4 minutes of twin guitar harmonies)

The Timeline

• Microsoft VSCode (136M downloads/month)

• GrapheneOS (privacy-focused OS)

• Valve SteamVR (gaming platform)

• 10 other open source projects

• Response time: 78 minutes from attack start to ecosystem defended

• Result: GitHub suspends anuxagfr account

• OSINT time: 4 hours from malware to infrastructure mapped

• Rhadamanthys infostealer, 11 VirusTotal detections

Nov 24, 15:43 UTC: Blog post published exposing full infrastructure

Nov 24, ~16:00 UTC: 🤘 METAL ANTHEM DROPS 🤘

Why This Matters

Traditional Threat Intel: > "We identified APT-2024-11-23-A, a financially-motivated threat actor targeting open source software supply chains via spearphishing and social engineering tactics. Attribution confidence: moderate. Indicators of compromise available upon request under NDA."

DugganUSA: > "We caught ANUSFRAGGER. Blocked their C2 in 4 hours. Published the IOCs for free. Wrote a metal song about them. Here's the track."

The Song

Title: Rhyme of the Anusfragger Artist: hacksawduggan Genre: 80's heavy metal (twin guitar harmonies, galloping bassline, thunderous drums) Duration: 4:03 Explicit: Hell yes

• Iron Maiden-style epic storytelling

• Chronicles the attacker's 69-minute campaign

• Dark fantasy themes for dark web assholes

• Fits the absurdity of the name "ANUSFRAGGER"

• Twin guitar harmonies (Maiden/Priest tradition)

• Galloping bassline (Steve Harris would approve)

• Fast-paced metal (matches attack velocity: 0.68 repos/minute)

• Male vocals (proper 80's metal aesthetic)

The Nickname Origin

Original username: anuxagfr Phonetic: "a-nux-a-g-f-r" (meaningless letters) Pattern recognition: anux → ANUS, agfr → FRAGGER Result: ANUSFRAGGER

Why this name stuck: 1. Memorable - Security teams remember it instantly 2. Humiliation - Attacker's cool handle becomes butt joke 3. Community - Inside joke for defenders ("Watch out for Anusfraggers") 4. Pattern recognition - "Sleeper account? Could be another Anusfragger"

• "Fancy Bear" (APT28 - Russian GRU)

• "Lazarus Group" (North Korean state actors)

• "Equation Group" (NSA)

But way funnier.

The Cultural Shift

• Issue sanitized threat report 2-4 weeks later

• Cost: $516,000 average incident response

• Public disclosure: Maybe a vague blog post 6 months later

• Nomenclature: APT-YYYY-MM-DD-A (boring)

• Music: None

• Fun: Zero

• Catch attack in real-time (< 2 minutes)

• Warn all victims within 78 minutes

• Document pattern publicly same day

• Block C2 infrastructure within 4 hours

• Publish free STIX feed for ecosystem

• Name attacker something memorable

• Write a metal song about them

• Cost: $0 (included in $75/month infrastructure)

The Democratization Angle

What we're proving:

• $516K incident response budgets

• Enterprise security vendors

• Weeks of analysis

• NDA-protected IOCs

• Boring APT nomenclature

• Humorless corporate culture

• VirusTotal API access (free tier works)

• Python and urllib (stdlib, no dependencies)

• WHOIS lookups (free)

• Pattern documentation (Markdown files)

• A sense of humor

• Suno AI music generator (optional but recommended)

The tools are democratized. The response should be too.

What the Song Teaches Us

Lesson 1: Humor is a weapon

• Lower their mystique (they're not elite hackers, they're ANUSFRAGGERS)

• Boost defender morale (we're the heroes in this metal song)

• Make security fun (incident response soundtrack)

• Memorable nomenclature (everyone remembers the funny names)

Lesson 2: Speed matters more than polish

• 78 minutes warning victims

• 4 hours blocking C2

• 1 day publishing full infrastructure

• ~30 minutes generating metal anthem

The song dropped before most vendors would even start drafting the report.

Lesson 3: Public disclosure protects everyone

Free STIX feed > NDA-protected IOCs

Free blog posts > $50K threat reports

Free metal songs > Corporate PDFs

Everyone benefits when we share. That includes the music.

The New Standard

If you catch a threat actor, you should:

1. ✅ Block their infrastructure 2. ✅ Document the pattern 3. ✅ Publish IOCs for free 4. ✅ Give them a memorable name 5. ✅ Write a song about them

Step 5 is non-negotiable.

How We Made It

• Suno AI (music generation)

• Prompt: "80's heavy metal anthem, twin guitar harmonies, male vocals, fast-paced metal, thunderous drums, galloping bassline"

• Theme: The ANUSFRAGGER's 69-minute campaign of chaos

• Style: Iron Maiden / Judas Priest / classic NWOBHM

Cost: $0 (Suno free tier) Time: ~5 minutes generation Result: 4:03 of pure 80's metal glory

• Epic storytelling tradition (Maiden's "Rime of the Ancient Mariner")

• Matches the absurdity of supply chain attacks

• Twin guitars = complexity of coordinated campaigns

• Galloping bass = relentless attack velocity

• Thunderous drums = impact on ecosystem

• Dark fantasy themes = dark web assholes

The Lyrics (AI-Generated, Chef's Kiss)

I don't have the full lyrics (Suno doesn't export them), but based on the title and genre:

• "From the depths of Contabo's German servers..."

• "149.102.156.62, the gates of hell..."

• "15 repos fell in 69 minutes of terror..."

• "FireSuper and rampubg14, his sleeper agents..."

• "But hacksawduggan blocked the C2..."

• "And ANUSFRAGGER was vanquished... TO THE VOID!"

[Cue twin guitar solo that sounds like malware sandboxing]

Technical Accuracy in Metal Form

The song is actually technically accurate:

• 69-minute attack window (Nov 23, 18:13-19:22 UTC)

• 15 repositories targeted (anuxagfr: 13, FireSuper: 1, rampubg14-cmyk: 1)

• Rhadamanthys infostealer (credential theft malware)

• C2 exfiltration endpoint (149.102.156.62/5dc60508ab2db3b4.php)

• Pattern #38 attack flow (sleeper accounts → malware ZIP → GitHub staging → C2)

This isn't just a joke song. It's a technically accurate incident summary in metal form.

How to Use This in Your Security Program

Incident Response Soundtrack:

1. Detection phase: Play at low volume 2. Investigation phase: Volume up to 11 3. Containment phase: AIR GUITAR SOLO 4. Eradication phase: HEADBANG 5. Recovery phase: Victory lap, full blast

Security Awareness Training:

"Today we're learning about supply chain attacks. First, listen to this metal song about ANUSFRAGGER..."

Threat Intel Briefings:

"The Pattern #38 campaign, also known as the ANUSFRAGGER incident, as documented in the Battle Hymn available at [link]..."

Hiring:

"Do you want to work somewhere that writes metal songs about attackers we catch? We're hiring."

The Competitive Advantage

• "APT-2024-11-23-A" → Generic enterprise vendor PDF

• "ANUSFRAGGER" → Our blog posts + metal song + STIX feed

SEO but make it metal.

What's Next

Suggestions for other threat actors we should immortalize in song:

• ANUSFRAGGER - 80's metal (COMPLETE ✅)

• FireSuper - Power ballad? (sleeper agent theme)

• rampubg14-cmyk - Punk rock (quick and dirty, like their 112-day dormancy)

• Lazarus Group - Progressive metal (complex, multi-stage attacks)

• Fancy Bear - Russian military march metal (state-sponsored theme)

We're taking requests. Catch an attacker, we'll write the song.

The Pattern

Pattern #38: GitHub Supply Chain Sleeper Account Attack Documentation: Technical details here Infrastructure: C2 analysis here Cultural Response: This post Battle Hymn: Rhyme of the Anusfragger

The Bottom Line

• Detected the attack in < 2 minutes

• Warned 13 victims within 78 minutes

• Found the C2 server in 4 hours

• Blocked it via Cloudflare

• Published free IOCs (STIX 2.1)

• Documented the pattern for the ecosystem

• Reported active attackers to GitHub Security

• Wrote a fucking metal song about them

And it cost $0.

That's the standard now. If you catch attackers and don't write a metal song about them, are you even trying?

Listen Now

🎸 Rhyme of the Anusfragger 🎸

4:03 of pure 80's metal glory. Twin guitar harmonies. Galloping bassline. Thunderous drums. Chronicles the 69-minute campaign that targeted Microsoft, GrapheneOS, and Valve.

Best played at maximum volume while blocking C2 servers.

DugganUSA LLC Real-Time Supply Chain Defense for the Open Source Ecosystem Running on $75/Month. Protecting Microsoft, GrapheneOS, and Valve. Writing Metal Songs About Attackers We Catch.

*"Security doesn't have to be boring. It can be METAL."*

• [Pattern #38 Discovery](/post/pattern-38-credential-leak-discovery) - How we caught them

• [Thank You ANUSFRAGGER](/post/thank-you-anusfragger) - The 13-repo mass attack

• [C2 Infrastructure Exposed](/post/we-found-their-server-pattern-38-c2-infrastructure-exposed) - Finding their server

• [Rhyme of the Anusfragger](/post/rhyme-of-the-anusfragger) - The metal anthem (you are here)

🤘 Stay metal. Stay secure. 🤘