DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Ten Days of Threat Hunting: Nov 19-29, 2025

Patrick Duggan
Nov 28, 2025
2 min read

Published: November 29, 2025 Category: Threat Intelligence

The Numbers

Over the past ten days, we've been running an automated threat hunting pipeline against GitHub's issue tracker. The results speak for themselves:

| Metric | Count | |--------|-------| | Abuse reports sent to GitHub Security | 12 | | Unique malicious accounts reported | 30 | | Accounts confirmed suspended | 4 | | C2 servers documented | 5 | | STIX bundles published | 5 | | VirusTotal-confirmed malware samples | 3 |

The Patterns

We documented seven distinct attack patterns during this period:

Pattern 38: Sleeper Account ZIP Attacks New GitHub accounts (often 0-7 days old) posting ZIP attachments to popular project issues. The ZIPs contain PowerShell loaders that fetch Stealc/Rhadamanthys infostealers from bulletproof hosting.

Pattern 43: Russian Password Malware ZIPs with Russian-language filenames like `пароль.txt` (password.txt) containing credential harvesters.

Pattern 46: Malware Distribution Hubs Single-purpose accounts with dozens of repos named after stealer families - LummaStealer, Vidar, FukedxRat, CyberStealer. One account had 62 malware-related repos.

Pattern 47: Cracked Stealer Distribution Repos distributing "cracked" versions of commercial stealers. These are doubly malicious - the "cracked" software is often backdoored, infecting the would-be malware operators themselves.

C2 Infrastructure

We mapped five command & control servers across three hosting providers:

149.102.156.62  - Contabo UK    - PRIMARY beacon endpoint
158.220.93.201  - Contabo UK    - PowerShell payload dropper
95.217.39.238   - Hetzner FI    - Secondary dropper
196.251.107.94  - Bulletproof   - Per-victim crypted builds
107.167.83.34   - IOFLOOD US    - Bulletproof hosting

The Contabo servers use sequential VMI numbers (vmi2910825, vmi2915473), suggesting batch provisioning from the same campaign.

VirusTotal Confirmation

Every report includes VirusTotal verification:

• Stealc/Rhadamanthys: 18/70 detections

• RedLine Stealer (cracked): 47/76 detections

• Vidar Stealer (modded): 38/76 detections

We don't report based on heuristics alone. If VT doesn't flag it, we don't send the report.

The Pipeline

The entire operation runs autonomously:

Daily Scan (06:00 UTC)
    ↓
GitHub Issue Search (ZIP attachments from new accounts)
    ↓
Profile Analysis (age, repos, followers)
    ↓
VirusTotal Hash Verification
    ↓
Abuse Report Generation
    ↓
Email to [email protected]
    ↓
STIX Bundle Update
    ↓
OTX Pulse Sync

What We Learned

1. The attackers are fast. Accounts go from creation to malware posting in under 48 hours.

2. They target popular projects. The bigger the repo, the more eyeballs on the malicious issue.

3. They're lazy about infrastructure. Same C2 IPs appear across multiple campaigns. Block one, you block many.

4. Cracked malware is meta-malware. The people trying to run stolen stealers are getting stolen from. There's a certain poetry to it.

5. GitHub responds. Four accounts suspended within days of our reports. The pipeline works.

What's Next

• npm/PyPI typosquatting detection

• Telegram bot C2 infrastructure

• macOS-targeted stealers (AMOS, Atomic, Realst)

The STIX feed is live at `analytics.dugganusa.com/api/v1/stix-feed`. Subscribe and get IOCs before they hit the blogs.

*The best defense is making the internet slightly more annoying for malware operators, one abuse report at a time.*