DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Sunday Sweep: 100K AbuseIPDB Reports, Insider Threats, and a 17-Year-Old PowerPoint Bug

Patrick Duggan
Jan 12
3 min read

The Sweep

Sunday morning. Coffee's hot. Let's see what crawled out of the internet this week.

103,959 IOCs indexed
332,195 Oz decisions
2,301 blocked IPs
98,565 reports to AbuseIPDB (1,435 to 100K)

1. The Insider: When Defenders Become Attackers

Two cybersecurity professionals pleaded guilty this week to running BlackCat/ALPHV ransomware operations.

Ryan Goldberg - Incident response manager at Sygnia. The guy companies call after they get hit with ransomware. He was running ransomware ops on the side.

Kevin Martin - Employee at DigitalMint, a Bitcoin ATM company.

Metric	Value
Victims	Pharmaceutical, engineering, healthcare, drone manufacturing
Ransom demands	$300K - $10M
Confirmed paid	$1.27M

The uncomfortable truth: Goldberg knew IR best practices. He knew detection methods. He knew how to avoid his own playbook.

9 C2 IPs in our Canada pulse
Azure infrastructure abuse (4.157.42.62, 40.88.54.192, 52.188.53.135)
Residential proxies for obfuscation

The IOCs don't change. The threat model does. How do you trust your IR vendor now?

2. The 17-Year-Old PowerPoint Bug

CISA added CVE-2009-0556 to the Known Exploited Vulnerabilities catalog on January 7, 2026.

That's not a typo. A vulnerability from 2009 is being actively exploited in the wild. Seventeen years later.

CVE	Product	CVSS	Deadline
CVE-2009-0556	Microsoft Office PowerPoint	8.8	Jan 28, 2026
CVE-2025-37164	HPE OneView	10.0	Jan 28, 2026

The HPE OneView flaw is worse - CVSS 10.0, unauthenticated RCE. But the PowerPoint bug is the story. Legacy debt isn't just technical debt. It's a national security issue.

If you're still running Office 2007, you have 16 days to patch or get owned.

3. Mongobleed: 87,000 Databases Leaking Secrets

CVE-2025-14847 - The "Mongobleed" vulnerability in MongoDB.

When processing malformed compressed messages, MongoDB servers return uninitialized heap memory to remote clients without authentication.

Database credentials
API keys
Authentication tokens
Session data
PII

87,000 potentially vulnerable instances identified globally. CISA deadline: January 19, 2026.

No authentication required. Just send a malformed message, receive secrets.

4. AsyncRAT Is Everywhere

We published a dedicated OTX pulse yesterday: "ThreatFox Hunt: AsyncRAT IOCs - 2026-01-11"

1,029 AsyncRAT indicators in our index and growing.

789bet-trangchu.vip
alloparentsbebe.org
peacockes.ie
ollertonandboughton.uk.com

AsyncRAT is commodity malware - cheap, effective, everywhere. It's the Honda Civic of RATs. Boring but reliable.

The DarkSpectre campaign that compromised 8.8 million browser users? They're using AsyncRAT for persistence after the initial extension compromise.

5. The C2 Framework Census

What's living in our IOC index?

Framework	IOCs Tracked
DeimosC2	169
Cobalt Strike	118
AsyncRAT	383
Sliver	Active
Meterpreter	79

DeimosC2 is interesting - open source, Go-based, cross-platform. The democratization of offensive tooling continues.

The Meta-Pattern

This week's theme: Trust is the attack surface.

Threat	Trust Exploited
BlackCat Insider	Trust in IR professionals
Browser Extensions	Trust in Chrome Web Store
Legacy PowerPoint	Trust in "it still works"
MongoDB	Trust in default configs

The perimeter isn't the edge anymore. It's everywhere trust exists.

IOC Summary

AsyncRAT pulse (1,029 indicators)
609 IPs from today's STIX feed
233 high-confidence (90%+) indicators

STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed OTX Profile: https://otx.alienvault.com/user/pduggusa

The 100K Watch

98,565 reports to AbuseIPDB. 1,435 to go.

When we hit 100K, we'll publish a retrospective: what we learned, top countries, top malware families, the economics of free threat intel.

Stay frosty.

Her name is Renee Nicole Good.

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]