DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Alibaba Thread: Five Chinese APT Operations, One Cloud Provider

Patrick Duggan
10 hours ago
4 min read

# The Alibaba Thread: Five Chinese APT Operations, One Cloud Provider

Over the past 72 hours we published a spy trilogy, a PlugX investigation, and indexed 40 IOCs from weekend breaches. When we cross-referenced the new indicators against our existing 1.07 million IOCs, a pattern emerged that we did not expect.

Five distinct Chinese state-nexus cyber operations. One cloud infrastructure provider. Alibaba.

This is not an accusation against Alibaba Group. This is an observation from our threat intelligence index, documented with IOCs, timestamps, and sources. The observation is: Alibaba Cloud is the most commonly recurring infrastructure element across concurrent Chinese APT operations in our dataset. Whether that is because Alibaba Cloud is popular, because it is convenient, or because China's 2017 National Intelligence Law (Article 7) compels cooperation with state intelligence — we present the data and let the reader decide.

The five operations

Operation 1: APT41 Winnti ELF Backdoor. Published today by Breakglass Intelligence. A Linux backdoor with zero VirusTotal detections and a custom code virtualizer that renders static analysis impossible. It harvests cloud credentials from AWS, Azure, GCP, and Alibaba Cloud via the instance metadata endpoint. The command-and-control server sits at 43.99.48.196 on Alibaba Cloud Singapore. It has been Shodan-invisible for two and a half years. The C2 communicates over SMTP port 25 — a covert channel that blends with legitimate email traffic. Three typosquat domains impersonate Alibaba's own services: ns1.a1iyun.top (mimics aliyun.com with a digit 1 replacing the lowercase L), ai.aliyuncs.help (mimics Alibaba Cloud Storage), and ai.qianxing.co (mimics Qianxin AI). The operators are using Alibaba's brand as camouflage to hide C2 traffic in DNS logs.

Operation 2: Fake Claude PlugX Campaign. Published April 10 by Malwarebytes. A counterfeit Claude AI download site distributes PlugX, a RAT used almost exclusively by Chinese state-nexus espionage groups. The PlugX implant beacons its C2 at 8.217.190.58 on Alibaba Cloud within 22 seconds of installation. That IP sits in the same 8.217.0.0/16 Alibaba Cloud range as four other C2 nodes already in our threat feed.

Operation 3: CL-STA-1087 / AppleChris. Documented by Palo Alto Unit 42. Four C2 IPs on Alibaba Cloud: 8.220.135.151, 8.220.177.252, 8.220.184.177, and 8.212.169.27. The AppleChris Dropbox exfiltration variant operates from this infrastructure.

Operation 4: Unknown Malware C2. SSL Blacklist flagged 43.99.40.240 on port 8888 — same 43.99.0.0/16 Alibaba Cloud range as the APT41 Winnti C2. Unknown malware family. Active since at least March 2026.

Operation 5: Spylandia. Our own investigation, published Saturday. An AT&T Wireless mobile device near Kennedy Space Center polled our STIX/TAXII feed 100,000 times over 65 days. The collection identifier matched the GitHub username of a developer whose profile lists Alibaba Group, Beijing as their employer. The developer's active secondary account researches Claude Code and AI agent frameworks. The actor went dark within minutes of us putting a blog post link in the 410 response.

The infrastructure pattern

Alibaba Cloud provides hosting across 31 data centers in 24 countries. It is a legitimate cloud provider used by millions of businesses. Many of those businesses are not conducting espionage.

But the pattern in our data is specific. Five concurrent operations. Three distinct Alibaba Cloud IP ranges (8.212.x.x, 8.217.x.x, 8.219.x.x, 8.220.x.x, 43.99.x.x). Three domains that impersonate Alibaba's own services as camouflage. One employee whose GitHub handle appears in a STIX feed probe. All active within the same 90-day window.

No other cloud provider appears this frequently across concurrent Chinese APT operations in our index. AWS, Azure, and GCP host malware C2 infrastructure — but they do not also have employees whose GitHub handles appear in intelligence collection probes, and their own service domains are not being typosquatted by the same APT group using their infrastructure as C2.

The Alibaba thread is not a single operation. It is an ecosystem.

The cross-index correlation

This is the kind of pattern our architecture is built to detect. A single indicator — one Alibaba Cloud IP — is unremarkable. Five indicators across five operations, all on Alibaba infrastructure, all active concurrently, discovered through cross-index correlation across our 44 Meilisearch indexes — that is a signal.

Signal Number Six in our PreCog V2 precursor detection system — the one we built Saturday after discovering three Chinese actors converging on our STIX feed — is designed to detect exactly this pattern. Multiple actors from the same country, using the same infrastructure provider, targeting the same category of asset, within the same time window. The individual indicators are below any single threshold. The convergence across all of them is the signal.

What we indexed

Six new IOCs from the APT41 Winnti investigation are now in our STIX feed:

The ELF binary SHA-256 and MD5 hashes. The Alibaba Cloud Singapore C2 IP. Three typosquat domains impersonating Alibaba services.

Combined with the five PlugX IOCs indexed Sunday, the Phorpiex C2 cluster, the LucidRook indicators, and the CPUID/STX RAT hashes, our STIX feed consumers in 46 countries received 45 new IOCs this weekend alone. All searchable. All free.

The question

China's National Intelligence Law requires all Chinese organizations and citizens to support, assist, and cooperate with state intelligence work. Alibaba Group is a Chinese organization. Alibaba Cloud is a Chinese cloud provider.

The question is not whether Alibaba Cloud is used for espionage infrastructure. The data shows that it is. The question is whether that use is despite Alibaba's efforts to prevent it, or because of a legal and operational framework that makes prevention structurally impossible.

We do not know the answer. We know the data.

— Patrick

Search the Alibaba C2 cluster: analytics.dugganusa.com/api/v1/search?q=alibaba+cloud+c2

STIX feed (free): analytics.dugganusa.com/api/v1/stix-feed

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.