DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Situational Update: January 24, 2026

Patrick Duggan
Jan 24
3 min read

The Numbers

180,534 IOCs indexed
182,948 Oz decisions
544 new STIX indicators (last 24 hours)
2 GitHub abuse reports filed today
3 ICE shootings in Minneapolis this month
2 people killed by federal agents

It's been a day.

Threat Intel: Gap Closure

This morning's sweep identified coverage gaps in our indexes. We closed them.

CVE-2026-23550: WordPress Modular DS (CVSS 10.0)

A critical unauthenticated RCE in the Modular DS plugin for WordPress. No authentication required. Active exploitation reported.

Field	Value
CVSS	10.0
Attack	Unauthenticated RCE
Affected	WordPress sites with Modular DS
Status	Active exploitation

If you run WordPress with plugins, audit them today.

GootLoader: The Malformed ZIP Technique

GootLoader is back with a new evasion technique. They're using malformed ZIP archives that bypass security scanners but still extract properly for victims.

SEO poisoning drives victims to compromised sites
Download prompt for "legal document" or "contract template"
ZIP file appears corrupted to scanners
User opens → JavaScript payload executes
PowerShell download → Cobalt Strike

IOCs added to our STIX feed.

DataByCloud: Malicious Chrome Extensions

A campaign targeting enterprise users with fake productivity extensions. The extensions abuse Chrome's Remote Debugging Protocol to steal:

Session cookies (including HTTP-only)
OAuth tokens
Saved passwords

Targeting: Workday, NetSuite, SuccessFactors users.

We traced the TTP to GitHub repos documented in today's abuse reports (see below).

UAT-8837: China APT Targeting US Defense

A Chinese threat actor hitting defense industrial base contractors. Tools include:

GoTokenTheft (credential harvester)
Certipy (AD CS exploitation)
SharpWMI (lateral movement)

All open-source tools. The democratization of APT tradecraft continues.

GitHub Abuse Reports Filed

We identified two accounts distributing malware and filed reports via GitHub's security team.

Team-Recon-Black-Ops (HIGH PRIORITY)

Status: Active
Repos: 15 (8 malicious)
Key violations:

This account is actively distributing malware. Report filed.

scarmonit-creator (MEDIUM PRIORITY)

Status: Active
Created: October 2025
Key violations:

The chrome-privless-encryption repo documents the exact technique used by the DataByCloud malicious extensions. Possible development account for the campaign.

Both reports submitted to [email protected] with full evidence.

Minneapolis: Third ICE Shooting in 17 Days

Content warning: This section contains descriptions of violence.

At approximately 9:00 AM CST this morning, federal agents shot and killed a man outside Glam Doll Donuts at 26th & Nicollet Ave in South Minneapolis.

This is the third ICE shooting in Minneapolis in January 2026. The second fatality.

Date	Victim	Location	Status
Jan 7	Renee Nicole Good, 37	South Minneapolis	KILLED
Jan 14	Julio Cesar Sosa Celis	24th & Lyndale	Survived (shot in leg)
Jan 24	Male, TBD	26th & Nicollet	KILLED

3 shootings in 17 days. 2 deaths. This does not include deaths in ICE custody.

The Video

WARNING: THIS VIDEO DEPICTS THE EXECUTION OF AN AMERICAN CITIZEN BY AMERICAN GOVERNMENT OFFICIALS

At least 6-7 masked federal agents restraining a single individual
An agent appears to strike the victim in the head with a firearm
Multiple shots fired while the victim is on the ground, restrained

Audio captured: "Did they f------ kill that guy? Are you f------ kidding me?"

Conflicting Accounts

DHS/Federal version: Suspect was armed with a handgun and two magazines.

Video evidence: Victim appears unarmed. Multiple agents restrained single individual. Shots fired while victim was prone.

Official Responses

Gov. Tim Walz: > "I just spoke with the White House after another horrific shooting by federal agents this morning. Minnesota has had it. This is sickening. The President must end this operation. Pull the thousands of violent, untrained officers out of Minnesota. Now."

Minneapolis Mayor: Demanded ICE leave the city and state immediately.

MPD Chief Brian O'Hara: Confirmed victim deceased. Investigation ongoing.

Context

January 23: Thousands protested ICE in subzero temps downtown
January 23: ~100 clergy arrested at MSP airport protest
January 24: Hundreds of businesses closed in solidarity

Nine ICE shootings nationally since September 2025.

The Pattern

This morning I indexed threat intelligence. Malware campaigns. APT tools. CVEs with CVSS 10.0 scores.

This afternoon I documented federal agents killing a man outside a donut shop in my city.

Both are security problems.

One of them has IOCs.

Resources

Free STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

OTX Pulse (Today's Gap Closure): https://otx.alienvault.com/pulse/6974f4ae3af99b8e6c3e11b9

GitHub Abuse Report Documentation: Available on request

Her name was Renee Nicole Good.

We don't know his name yet.

DugganUSA LLC Minneapolis, MN January 24, 2026