DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The ASML "1011" Claim: Noise, Signal, and the Attack Vectors That Actually Matter

Patrick Duggan
Jan 7
5 min read

Executive Summary

On January 7, 2026, a threat actor known as "1011" claimed to have breached ASML Holding N.V., posting 154 SQL databases to a Russian-language cybercrime forum.

Our assessment: The "1011" claim is likely noise. The actual threat vectors are far more concerning.

"1011" is a known scammer who previously made false claims about NordVPN. But the timing—4 days after the Venezuela invasion and 7 days after China's Article 77 took effect—warrants analysis.

Sitecore CMS vulnerabilities (CVE-2025-53690, actively exploited)
F5 BIG-IP supply chain compromise (nation-state, source code stolen)
Vercel/React2Shell (CVSS 10.0, actively exploited)

If data was exfiltrated from ASML, it likely came through these vectors—not through "1011's" claimed capabilities.

The "1011" Threat Actor

Profile - First observed: January 2026 - Platform: Russian-language cybercrime forums - Modus operandi: Data broker / forum credit farmer - Credibility: LOW

Previous Claims (Debunked) On January 4, 2026, "1011" claimed to have breached NordVPN's Salesforce development servers. NordVPN's investigation found the leaked files came from a third-party platform where they briefly had a trial account six months prior. The timestamps in samples showed dates from August 2025—five months before the post.

Pattern: Makes claims using old/recycled data to farm forum credits.

ASML Claim Analysis - Posted January 7, 2026 - Claims 154 SQL databases - Includes "disk encryption keys, user info, software data, device records" - Published for dissemination, not ransom (no negotiation attempt)

Assessment: Either recycled/fabricated data, OR real data acquired through other means and published via "1011" as a cutout for attribution muddying.

Sources - [Cybernews - NordVPN Breach Story is Fake](https://cybernews.com/security/fake-asml-nordvpn-data-breach-claims/) - [Daily Dark Web - ASML Alleged Data Leak](https://dailydarkweb.net/asml-alleged-data-leak-154-databases-published-online/) - [Hackmanac Twitter Alert](https://x.com/H4ckmanac/status/2008798409134571884)

The Real Attack Vectors

1. Sitecore CMS (CVE-2025-53690) - ACTIVELY EXPLOITED

ASML is a known Sitecore customer, having won a Sitecore Experience Award for their website implementation.

Field	Value
CVE	CVE-2025-53690
CVSS	9.0 (Critical)
Type	ViewState Deserialization
Status	ACTIVELY EXPLOITED IN THE WILD
CISA KEV	Added September 4, 2025

Attacker probes /sitecore/blocked.aspx endpoint
Endpoint contains unauthenticated ViewState form
Forged ViewState delivered using exposed sample machine key
RCE achieved under IIS NETWORK SERVICE account
WeepSteel reconnaissance backdoor deployed

CVE	Type	Impact
CVE-2025-34509	Hardcoded Credentials	Password "b" for ServicesAPI user
CVE-2025-34510	Post-Auth RCE	Path traversal
CVE-2025-34511	Post-Auth RCE	PowerShell extension

22,000+ Sitecore instances exposed publicly.

2. F5 BIG-IP Supply Chain (Nation-State Breach)

Date	Event
Unknown - Aug 2025	Nation-state maintains persistent access (12+ months)
Aug 9, 2025	F5 detects breach
Aug - Oct 2025	DOJ suppresses disclosure
Oct 15, 2025	Public disclosure + CISA ED 26-01
Jan 2026	600,000+ devices remain exposed

BIG-IP source code
Undisclosed (zero-day) vulnerability information
Engineering knowledge management platform data
Ability to develop targeted exploits

UNC5221 (China-nexus)
Linked to BRICKSTORM backdoor
Part of SPAWN ecosystem

CVE	CVSS	Description
CVE-2025-53868	8.7	BIG-IP SCP and SFTP vulnerability
CVE-2025-61955	8.8	F5OS vulnerability
CVE-2025-57780	8.8	F5OS vulnerability

680,000 F5 BIG-IP devices visible on public internet.

If ASML uses F5 infrastructure, they may be vulnerable to zero-days the threat actor has but hasn't disclosed.

3. Vercel/React2Shell (CVE-2025-55182)

ASML's website (asml.com) currently returns Vercel server headers.

Field	Value
CVE	CVE-2025-55182
CVSS	10.0 (Critical)
Type	React Server Components RCE
Status	ACTIVELY EXPLOITED IN THE WILD
Affects	Next.js 15.0.0 - 16.0.6

Date	Event
Aug 26, 2025	Nx packages supply chain attack (LLM exfil)
Sep 8, 2025	18 npm packages compromised (2B+ weekly downloads)
Sep 2025	Alleged Vercel data breach
Nov-Dec 2025	Mintlify supply chain (hit Twitter/X, Discord, Cursor)
Dec 2025	React2Shell actively exploited

Indicators of Compromise

WeepSteel (Sitecore Exploitation)

Artifact	Type	Value
Information.dll	MD5	117305c6c8222162d7246f842c4bb014
Information.dll	SHA256	a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307
EARTHWORM (lfe.ico)	MD5	a39696e95a34a017be1435db7ff139d5
EARTHWORM (lfe.ico)	SHA256	b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b
Helper.exe	MD5	f410d88429b93786b224e489c960bf5c
SharpHound	MD5	63d22ae0568b760b5e3aabb915313e44
SharpHound	SHA256	61f897ed69646e0509f6802fb2d7c5e88c3e3b93c4ca86942e24d203aa878863

Detection Artifacts

Indicator	Description
/sitecore/blocked.aspx	Target endpoint for ViewState attack
Event ID 1316	ASP.NET ViewState verification failed
Local accounts: asp$, sawadmin	Attacker-created admin accounts
SAM/SYSTEM dump	Credential harvesting
GoTokenTheft	Token theft tool

F5/BRICKSTORM Indicators

UNC5221 threat actor
BRICKSTORM backdoor
SPAWN ecosystem artifacts
Unusual outbound data transfers from F5 management networks
Anomalous logins from foreign IP addresses
Modified system logs and registry edits

Geopolitical Context

Article 77 Timing Pattern

Date	Event
Jan 1, 2026	China's amended Cybersecurity Law (Article 77) takes effect
Jan 1, 2026	Panama crisis "resolved"
Jan 3, 2026	Venezuela invasion
Jan 7, 2026	ASML "breach" claimed

Panama ports (to BlackRock)
Venezuela (BRICS ally with 303B barrels of oil)

Article 77 provides legal framework for cyber retaliation against "any overseas institution, organization, or individual that engages in activities endangering the cybersecurity of the People's Republic of China."

ASML is the sole manufacturer of EUV lithography machines. A breach effectively bypasses Dutch government export bans—you cannot sanction a file uploaded to the dark web.

Why ASML?

TSMC cannot manufacture advanced chips
Intel cannot manufacture advanced chips
Samsung cannot manufacture advanced chips
China cannot manufacture advanced chips

If the leaked data contains EUV calibration algorithms, lens data, or software specifications, it could accelerate Chinese domestic lithography development by years.

Recommendations

Immediate Actions

Sitecore customers: Patch CVE-2025-53690 immediately. Replace sample ASP.NET machineKey with unique values. Review KB1003865.

F5 customers: Update to latest BIG-IP version. Assume compromise if management interfaces were internet-facing. Hunt for BRICKSTORM/UNC5221 TTPs.

Vercel/Next.js users: Ensure not running Next.js 15.0.0 - 16.0.6. Verify deployments against React2Shell.

All organizations: Search for WeepSteel hashes in your environment. Monitor for local account creation (esp. asp$, sawadmin).

Hunt Queries

// Sitecore exploitation
index=web sourcetype=iis
| search cs_uri_stem="/sitecore/blocked.aspx" cs_method=POST
| stats count by src_ip

// WeepSteel presence index=endpoint | search (file_hash="117305c6c8222162d7246f842c4bb014" OR file_hash="a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307")

// Suspicious account creation index=windows EventCode=4720 | search SAMAccountName IN ("asp$", "sawadmin") ```

Conclusion

The "1011" ASML claim is likely noise—either a scam or a cutout for attribution obfuscation. But the attack surface is real:

Sitecore vulnerabilities are actively exploited
F5 was compromised by a nation-state with 12+ months of access
Vercel/React2Shell provides additional vectors

If ASML was breached, the data probably came through legitimate exploit chains, not "1011's" claimed capabilities. The timing with Article 77 and the Venezuela invasion is notable.

The "1011" claim is the magician's other hand. The actual threat is the supply chain.

IOC Summary (Copy-Paste Ready)

# WeepSteel / Sitecore Exploitation
117305c6c8222162d7246f842c4bb014
a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307
a39696e95a34a017be1435db7ff139d5
b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b
f410d88429b93786b224e489c960bf5c
63d22ae0568b760b5e3aabb915313e44
61f897ed69646e0509f6802fb2d7c5e88c3e3b93c4ca86942e24d203aa878863

Patrick Duggan is founder of DugganUSA LLC, a Minnesota-based threat intelligence company. This analysis is based on open-source intelligence and does not contain classified information.

TLP:WHITE - Unlimited distribution.