DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Tax the Rat Farms: Pattern 43 and the Vetinari Approach to Threat Intelligence

Patrick Duggan
Dec 3, 2025
3 min read

--- title: "Tax the Rat Farms: Pattern 43 and the Vetinari Approach to Threat Intelligence" date: 2025-12-03 author: Patrick Duggan tags: [threat-intelligence, pattern-43, discworld, philosophy, github, network-analysis] category: Philosophy featured: true ---

In Terry Pratchett's Ankh-Morpork, there was once a terrible plague of rats. The city council, in its wisdom, offered twenty pence for every rat tail. For a week or two, the rat population seemed to decline. Then people started queueing up with tails, the treasury was hemorrhaging gold, and somehow there were *more* rats than ever.

Lord Vetinari listened to this problem and solved it with three words: "Tax the rat farms."

Today, we discovered Pattern 43. And it taught us something very Vetinari about threat intelligence.

The Bounty Problem

The cybersecurity industry has its own rat tail bounty: CVE numbers.

Find a vulnerability, get a number, collect your bounty of clout and conference talks. For years, we've been paying the equivalent of twenty pence per tail. And somehow, there seem to be more vulnerabilities than ever.

Enter Ashwesker: a GitHub account created in June 2025 with 103 repositories. Every single one named `Blackash-CVE-XXXX-XXXX`. An exploit factory producing vulnerabilities at the rate of 17 per month.

Are they finding these? Creating these? *Farming* these?

Vetinari would know exactly what was happening.

Following the Rats

We didn't find Ashwesker by hunting for exploits. We found them by following the social graph of malware distributors - starting from saxophone007, who was distributing Cobalt Strike beacon source code.

saxophone007 follows five accounts. We checked each one. The trail led to:

• B4shCr00k: RAT developer (R4venInject0r, ProcessHollowing)

• Sliaswrk: HVNC toolkit distributor

• Ashwesker: The exploit farm (103 repos in 6 months)

And B4shCr00k? They follow Whitecat18, whose "Rust for Malware Development" repository has 3,117 stars.

Three thousand stars. Teaching people to write malware. In Rust, because apparently even threat actors care about memory safety now.

The Network Is the Pattern

This is Pattern 43: RAT Developer Social Networks.

Not individual bad actors. A *ecosystem*. An interconnected web where:

• Upstream influencers (Whitecat18) create tutorials

• Mid-tier developers (B4shCr00k) implement techniques

• Distributors (Sliaswrk, saxophone007) spread tools

• Exploit farmers (Ashwesker) mass-produce attack surface

• RAT operators (Trinitysudo, wonder21337you) deploy payloads

When Whitecat18 posts a new evasion technique, it propagates through the network. When B4shCr00k improves an injection method, saxophone007 redistributes it. When Ashwesker "discovers" a CVE, someone downstream weaponizes it.

The rats aren't independent. They're *organized*.

Tax the Farms

Here's what Vetinari understood that the council didn't: the problem wasn't the rats. The problem was the *incentive structure* that made rat farming profitable.

In cybersecurity, we've created similar incentives:

• Star counts reward malware tutorials (3,117 stars!)

• CVE numbers reward volume over quality

• GitHub accounts provide free infrastructure

• Social graphs provide distribution networks

The solution isn't to hunt individual rats. It's to identify the farms.

That's why Pattern 43 matters. We're not just reporting accounts to GitHub (though we did - three today: B4shCr00k, wonder21337you, Ashwesker). We're mapping the *network*. Understanding how techniques propagate. Identifying the upstream influencers.

The Vetinari Method

Lord Vetinari ran Ankh-Morpork under a system he called "One Man, One Vote." He was the Man. He had the Vote.

But his real genius was understanding systems. Not fighting the symptoms, but reshaping the incentives. Not catching rats, but making rat farming unprofitable.

Our approach to Pattern 43:

1. Map the network - Follow the followers, trace the forks 2. Identify the farms - Not individual accounts, but production systems 3. Report strategically - Hit the nodes with maximum downstream impact 4. Share intelligence - OTX pulses to 15 subscribers who can take action 5. Document patterns - So the next rat farm looks familiar

• [Pattern 43: RAT Developer Social Network](https://otx.alienvault.com/pulse/6930845d783b15db122b8980)

• Pattern 38 Network follow-up pulse

• Shai-Hulud V2 npm worm indicators

The Philosophy

In the Discworld, the Assassins' Guild has a code: they kill for money, but they have *standards*. The Thieves' Guild has quotas and licensing. Even crime, in Ankh-Morpork, is regulated.

Vetinari didn't eliminate crime. He *systematized* it. Made it predictable. Controllable.

We can't eliminate malware development on GitHub. But we can understand its systems. Map its networks. Identify its farms. Make their operations visible and their infrastructure reportable.

Three words from a fictional tyrant, and suddenly threat intelligence makes more sense.

Tax the rat farms.

*Pattern 43 detection is now part of our daily threat scanning. The RAT developer social network analysis runs alongside Patterns 38-42. Results feed into OTX within minutes.*

DugganUSA LLC - Minnesota-based threat intelligence

*"One man, one vote. We are the man. We have the vote on what gets reported."*