DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Sunday Threat Sweep: Three Nation-State Campaigns You Need to Block Now

Patrick Duggan
Dec 28, 2025
4 min read

Date: December 28, 2025 Author: Patrick Duggan Tags: threat-intelligence, apt, china, dprk, ioc, otx, stix

TL;DR

While you were enjoying the holidays, nation-state actors were busy. This Sunday sweep identified three active campaigns with 22 IOCs now available in our threat feeds:

| Campaign | Attribution | CVE | IOCs | |----------|-------------|-----|------| | UAT-9686 Cisco AsyncOS | China (APT41 overlap) | CVE-2025-20393 (CVSS 10.0) | 6 | | Evasive Panda DNS Poisoning | China (StormBamboo) | N/A | 12 | | DPRK EtherRAT | North Korea | CVE-2025-55182 (CVSS 10.0) | 4 |

• [OTX Pulses](https://otx.alienvault.com/user/pduggusa/pulses)

• [STIX 2.1 Feed](https://analytics.dugganusa.com/api/v1/stix-feed)

Campaign 1: UAT-9686 Exploiting Cisco AsyncOS Zero-Day

The Situation

On December 10, 2025, CISA added CVE-2025-20393 to the Known Exploited Vulnerabilities catalog. This is a CVSS 10.0 remote code execution vulnerability in Cisco Secure Email Gateway and Web Manager.

There is no patch.

China-nexus APT group UAT-9686 (with overlaps to APT41 and UNC5174) is actively exploiting this vulnerability to deploy a custom toolkit:

| Tool | Function | |------|----------| | AquaShell | Python backdoor listening for encoded HTTP POSTs | | AquaTunnel | GoLang ReverseSSH for persistent access | | AquaPurge | Log cleaner (anti-forensics) | | Chisel | TCP/UDP tunneling |

IOCs (Block These)

# C2 Infrastructure
172.233.67.176
172.237.29.147
38.54.56.95

What To Do

If you run Cisco Secure Email Gateway or Web Manager: 1. Disable external access to Spam Quarantine interface immediately 2. Monitor for connections to the IOCs above 3. Check logs for unusual HTTP POST patterns 4. Wait for Cisco patch (ETA unknown)

Source: Cisco Talos

Campaign 2: Evasive Panda DNS Poisoning

The Situation

Kaspersky disclosed a sophisticated campaign by Evasive Panda (also known as Bronze Highland, Daggerfly, and StormBamboo) that ran from November 2022 through November 2024.

The attack chain: 1. DNS poisoning of legitimate software update domains 2. Fake updates for popular apps (SohuVA, iQIYI Video, IObit Smart Defrag, Tencent QQ) 3. MgBot deployment with per-victim encryption (DPAPI + RC5) 4. Persistence via DLL sideload through renamed python.exe

MgBot capabilities include keylogging, clipboard capture, audio recording, browser credential theft, and file harvesting. This thing does everything.

IOCs (Block These)

# C2 Infrastructure
103.96.128.44
103.96.130.107
122.10.88.226
122.10.90.12
152.32.159.8
188.208.141.204
122.10.90.20
122.10.89.110
59.188.69.231

What To Do

1. Block the IPs and domains above 2. Monitor for DNS responses pointing to unexpected IPs for software update domains 3. Audit network devices (routers, firewalls) for compromise 4. Implement DNSSEC where possible

Sources: Kaspersky Securelist, ESET IOCs, Volexity

Campaign 3: DPRK EtherRAT via React2Shell

The Situation

Two days after CVE-2025-55182 (React2Shell) was disclosed on December 3, 2025, North Korean actors were already exploiting it to deploy a novel backdoor called EtherRAT.

What makes EtherRAT interesting isn't the backdoor itself - it's the command and control mechanism.

Blockchain C2 (EtherHiding)

EtherRAT stores its C2 address in an Ethereum smart contract. When the malware needs to phone home:

1. Queries 9 different Ethereum RPC endpoints in parallel 2. Uses consensus voting to determine the real C2 URL 3. Retrieves the C2 address from the blockchain 4. Connects to the attacker's server

Why does this matter?

• No takedowns: You can't seize an Ethereum smart contract

• No IP blocking: The C2 address can be updated on-chain

• Anti-poisoning: Consensus voting prevents researchers from injecting fake C2s

• Decentralized persistence: The blockchain is forever

This is the first widespread use of blockchain-based C2 we've seen in the wild. Expect more.

IOCs (Block These)

# Staging Server
193.24.123.68

What To Do

1. Patch React/Next.js immediately (19.2.1+ / patched Next.js releases) 2. Block the staging server IP 3. Hunt for Ethereum RPC traffic from web servers - this is highly anomalous 4. Check for EtherRAT persistence mechanisms: - `~/.config/systemd/user/*.service` - `~/.config/autostart/*.desktop` - `@reboot` cron jobs - `.bashrc` / `.profile` injections

Source: Sysdig TRT

The Social Graph

These campaigns aren't isolated. Here's how they connect:

                    CHINA-NEXUS
                         │
        ┌────────────────┼────────────────┐
        ▼                ▼                ▼
   UAT-9686        Evasive Panda       APT41
   (Cisco 0day)    (DNS poison)     (Overlap)
        │                │                │
        └────────────────┴────────────────┘
              Shared tooling patterns
              Same operational tempo

DPRK-NEXUS │ ┌────────────────┼────────────────┐ ▼ ▼ ▼ EtherRAT Contagious BeaverTail (React2Shell) Interview (Code overlap) │ │ │ └────────────────┴────────────────┘ EtherHiding technique Web3/crypto targeting ```

Nation-state actors share techniques, sometimes tooling, and often target the same vulnerability windows. When a CVSS 10.0 drops, assume multiple APTs are racing to exploit it.

Get Protected

All 22 IOCs from this sweep are now available:

AlienVault OTX (Free)

• [UAT-9686 Pulse](https://otx.alienvault.com/pulse/6951658df4c69ec691010c36)

• [Evasive Panda Pulse](https://otx.alienvault.com/pulse/6951658df923ae3088bc0853)

• [DPRK EtherRAT Pulse](https://otx.alienvault.com/pulse/6951658ebd4466ecf7e0711f)

STIX 2.1 Feed (Free)

curl https://analytics.dugganusa.com/api/v1/stix-feed

Direct Integration

• [https://otx.alienvault.com/user/pduggusa](https://otx.alienvault.com/user/pduggusa)

Methodology

• Public threat intelligence (Talos, Kaspersky, Sysdig, ESET, Volexity)

• GitHub IOC repositories

• CISA KEV catalog monitoring

• Our own behavioral analysis

Total time from identification to customer protection: ~2 hours (Sunday morning coffee included).

The Bottom Line

Three nation-state campaigns. Two CVSS 10.0 vulnerabilities. One novel C2 technique (blockchain).

If you're not consuming threat intelligence feeds, you're defending against yesterday's attacks. The adversaries move fast. Your defenses need to move faster.

Block the IOCs. Patch the CVEs. Monitor for the TTPs.

And enjoy the rest of your Sunday.

Questions? [email protected]

Want custom threat intelligence? Contact us

*22 IOCs. 3 campaigns. 0 excuses.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

Sunday Threat Sweep: Three Nation-State Campaigns You Need to Block Now

TL;DR

Campaign 1: UAT-9686 Exploiting Cisco AsyncOS Zero-Day

The Situation

IOCs (Block These)

What To Do

Campaign 2: Evasive Panda DNS Poisoning

The Situation

IOCs (Block These)

What To Do

Campaign 3: DPRK EtherRAT via React2Shell

The Situation

Blockchain C2 (EtherHiding)

IOCs (Block These)

What To Do

The Social Graph

Get Protected

AlienVault OTX (Free)

STIX 2.1 Feed (Free)

Direct Integration

Methodology

The Bottom Line

Get Free IOCs

Recent Posts

Comments