DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

RondoDox: Nine Months of React2Shell in the Wild

Patrick Duggan
Jan 9
2 min read

The Vulnerability

CVE-2025-55182 (React2Shell) is a deserialization flaw in React Server Components that allows unauthenticated remote code execution via a single HTTP request.

CVSS Score: 10.0 (Critical)

React 19.0, 19.1.0, 19.1.1, 19.2.0
Next.js applications using React Server Components
Any framework implementing the RSC "Flight" protocol

Discovery: Lachlan Davidson, disclosed November 29, 2025 Public disclosure: December 3, 2025 Time to exploitation: Hours

The Exploitation

Within hours of public disclosure, AWS threat intelligence observed China-nexus groups actively exploiting the vulnerability:

Group	Attribution
Earth Lamia	China state-nexus
Jackpot Panda	China state-nexus

MINOCAT tunneler
SNOWLIGHT downloader
HISONIC backdoor
COMPOOD backdoor
XMRIG cryptocurrency miners

This isn't script kiddies. This is nation-state actors with pre-positioned exploitation capability waiting for high-value vulns.

The Botnet

The RondoDox botnet has been leveraging React2Shell for nine months—since before public disclosure.

Current exposure (as of January 4, 2026):

Country	Vulnerable Instances
United States	66,200
Germany	3,600
France	2,500
India	1,290
Total	84,916

Two-thirds of vulnerable systems are in the US.

Technical Details

The vulnerability resides in the react-server package's handling of RSC "Flight" protocol payloads.

Attacker sends malformed RSC payload via HTTP
Server fails to validate payload structure
Attacker-controlled data influences server-side execution
Arbitrary code executes with web server privileges

One request. Full compromise.

There is no workaround. You must patch.

The Timeline

Date	Event
~April 2025	RondoDox campaign begins
Nov 29, 2025	Vulnerability disclosed to React team
Dec 3, 2025	Public disclosure
Dec 3, 2025	Exploitation within hours
Jan 4, 2026	84,916 systems still vulnerable

Nine months of quiet exploitation before anyone knew.

Remediation

React: 19.0.1, 19.1.2, or 19.2.1
Next.js 13.x: Upgrade to 14.2.35+

Rotate all application secrets
Review logs for exploitation indicators
Check for persistence mechanisms

There is no workaround. WAF rules may reduce exposure but do not eliminate the vulnerability.

IOCs

MINOCAT (tunneling)
SNOWLIGHT (downloader)
HISONIC (backdoor)
COMPOOD (backdoor)
XMRIG (cryptominer)

Check threat intel feeds for associated infrastructure.

The Lesson

React2Shell demonstrates the modern vulnerability lifecycle:

Discovery → Private disclosure
Patch released → Public disclosure
Hours later → Nation-state exploitation
Months later → 85K systems still unpatched

The window between disclosure and mass exploitation is now measured in hours, not days. If you're not patching within 24 hours of critical CVEs, you're already compromised.

Sources

About DugganUSA: We publish free threat intelligence for the 99% who can't afford enterprise security. Our STIX 2.1 feed includes React2Shell exploitation indicators.

STIX Feed | OTX Profile