DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Attack Surface Is Trust Itself: December 2025's Meta-Pattern

Patrick Duggan
Dec 29, 2025
7 min read

--- title: "The Attack Surface Is Trust Itself: December 2025's Meta-Pattern" date: 2025-12-29 author: Patrick Duggan tags: [threat-intelligence, patterns, trust, supply-chain, social-engineering, IOCs] category: Threat Intelligence featured: true ---

The Morning Sweep

Every morning I sweep the nets. Check the feeds. See what crawled out of the woodwork overnight.

December 29, 2025 had the usual suspects: ransomware hits, data breaches, fresh CVEs. But when you lay them side by side, a pattern emerges that's more interesting than any individual incident.

Every major campaign this week inverts a trust relationship.

The attack surface isn't your firewall. It's not your endpoints. It's not even your users.

The attack surface is trust itself.

The Evidence

Trust GitHub? Compromised.

Kaspersky's Securelist documented a Webrat campaign using fake GitHub repositories. The repos masquerade as proof-of-concept exploits for high-severity CVEs.

The targets? Gamers, students, and—here's the kicker—*inexperienced security researchers*.

Think about that. They're not attacking enterprises directly. They're attacking the people who would defend enterprises. Compromise the security researcher's machine, and you've got:

• Their VPN credentials to client networks

• Their notes on vulnerabilities they're researching

• Their communication with other researchers

• A pivot point into dozens of organizations

#### The Receipts: Webrat Campaign IOCs

Malicious GitHub Repositories (15+ identified, all removed): ``` github[.]com/RedFoxNxploits/CVE-2025-10294-Poc github[.]com/FixingPhantom/CVE-2025-10294 github[.]com/h4xnz/CVE-2025-10294-POC github[.]com/usjnx72726w/CVE-2025-59295 github[.]com/stalker110119/CVE-2025-59230 github[.]com/moegameka/CVE-2025-59230 github[.]com/DebugFrag/CVE-2025-12596-Exploit github[.]com/themaxlpalfaboy/CVE-2025-54897-LAB github[.]com/DExplo1ted/CVE-2025-54106-POC github[.]com/h4xnz/CVE-2025-55234-POC github[.]com/Hazelooks/CVE-2025-11499-Exploit github[.]com/usjnx72726w/CVE-2025-11499-LAB github[.]com/modhopmarrow1973/CVE-2025-11833-LAB github[.]com/rootreapers/CVE-2025-11499 github[.]com/lagerhaker539/CVE-2025-12595-POC ```

C2 Servers (still active as of Dec 2025): ``` ezc5510min[.]temp[.]swtest[.]ru shopsleta[.]ru ```

File Hashes (MD5): ``` 28a741e9fcd57bd607255d3a4690c82f a13c3d863e8e2bd7596bac5d41581f6a 61b1fc6ab327e6d3ff5fd3e82b430315 ```

Infection Chain: 1. `start_exp.bat` - Launches payload 2. `rasmanesc.exe` - Primary executable, escalates privileges 3. `payload.dll` - Decoy DLL 4. Disables Windows Defender (T1562.001) 5. Downloads Webrat from C2

• T1134.002: Access Token Manipulation

• T1562.001: Impair Defenses (Disable/Modify Tools)

• T1608.001: Stage Capabilities (Upload Malware)

Trust inversion: "GitHub repo with CVE PoC" used to mean "security researcher helping the community." Now it means "check the author's history or get owned."

Trust Google? Spoofed.

Check Point's research documents attackers abusing Google Cloud's Application Integration "Send Email" workflow.

9,394 phishing emails sent to ~3,200 targets over 14 days.

All from: `[email protected]`

The emails came from Google's infrastructure. SPF passed. DKIM passed. DMARC passed. Because they *were* Google emails—just triggered by an attacker who found a way to abuse the workflow.

#### The Receipts: Google Cloud Abuse

• Sender: `[email protected]` (legitimate Google address)

• Target sectors: Manufacturing, technology, finance

• Geography: US, Asia-Pacific, Europe

• Lure themes: Voicemail alerts, file access requests

Redirect Chain Domains (leveraging Google trust): ``` storage.cloud.google.com sites.google.com share.google ```

End Goal: OAuth consent phishing → Malicious Azure AD application → Access to victim's Azure subscriptions, VMs, storage, databases

Google's Response: "We have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration."

Trust inversion: "Email from Google" used to mean "legitimate notification." Now it means "check the context, not just the sender."

Trust CAPTCHAs? Hijacked.

CloudSEK documented the ClickFix campaign using fake CAPTCHAs to distribute AMOS (Atomic macOS Stealer).

You think you're proving you're human. You're actually copying malicious commands. Then you paste them into Terminal because the "CAPTCHA" told you to.

Russian-speaking threat actors. Code comments in Russian. Typo-squatted Spectrum domains.

#### The Receipts: ClickFix/AMOS Campaign IOCs

Malicious Domains: ``` panel-spectrum[.]net spectrum-ticket[.]net cf-verifi.pages[.]dev applemacios[.]com homebrewrp[.]com brewory[.]com rugme[.]cat ```

Payload URLs: ``` https://cf-verifi.pages[.]dev/i.txt (PowerShell payload) https://applemacios[.]com/getrur/install.sh (macOS script) https://applemacios[.]com/getrur/update (AMOS binary) ```

File Hashes (MD5): ``` eaedee8fc9fe336bcde021bf243e332a (AMOS variant) 6fd092d86235d7ae35c557523f493674 (AMOS variant) ```

Rhadamanthys Campaign (Windows): ``` C2: xcvcxoipoeww[.]site (192.124.176[.]103) Stage 1: hXXp://141.98.80[.]175/tick.odd Stage 2: securitysettings[.]live / xoiiasdpsdoasdpojas[.]com (141.98.80[.]175) ```

• Credential theft (browsers, keychain)

• Cryptocurrency wallet extraction

• Telegram/Discord/Steam data

• Apple Notes exfiltration

• Webcam/microphone access

Trust inversion: "Solve this CAPTCHA" used to mean "prove you're human." Now it means "execute arbitrary commands."

Trust MongoDB Auth? Bypassed.

CVE-2025-14847, dubbed "MongoBleed," is now being actively exploited.

No authentication required. Attackers can read uninitialized heap memory—session tokens, passwords, API keys—from any exposed MongoDB instance.

#### The Receipts: MongoBleed Technical Details

CVE: CVE-2025-14847 CVSS: 8.7 (High) CWE: CWE-130 (Improper Length Parameter Handling)

Affected Versions: ``` 8.2.0 – 8.2.3 8.0.0 – 8.0.16 7.0.0 – 7.0.26 6.0.0 – 6.0.26 5.0.0 – 5.0.31 4.4.0 – 4.4.29 All v4.2, v4.0, v3.6 ```

Patched Versions: ``` 8.2.3+, 8.0.17+, 7.0.28+, 6.0.27+, 5.0.32+, 4.4.30+ ```

Attack Mechanism: Mismatched length fields in Zlib compressed protocol headers allow unauthenticated clients to trigger MongoDB server returning uninitialized heap memory.

What Leaks: Session tokens, passwords, API keys, internal state, pointer values.

Mitigation: Patch or disable Zlib compression (`networkMessageCompressors` setting).

Trust inversion: "MongoDB requires authentication" used to mean "my data is protected." Now it means "check your version or get bled."

Trust Insurance Companies? Breached.

Scattered Spider hit Aflac. 22.65 million victims.

Social engineering got them in. June 12, 2025. Stopped within hours, but the data was already gone.

#### The Receipts: Aflac Breach Details

Threat Actor: Scattered Spider (aka Octo Tempest, UNC3944) Initial Access: Social engineering Detection Date: June 12, 2025 Disclosure Date: December 23, 2025

• Names, DOBs, addresses

• SSNs, driver's licenses, passports

• Medical/health insurance information

• Claims data

Victims: 22,650,000 (beneficiaries, employees, agents)

Other Targets (same campaign): Erie Insurance, Philadelphia Insurance

Legal Status: 11 class action lawsuits filed

Trust Cyber-Only Threats? Now Physical.

This one's darker.

A Semperis study found that 40% of ransomware victims now receive *physical violence threats* during negotiation.

"Pay or we leak your data" became "pay or we show up at your house."

The line between cybercrime and organized crime is gone. These aren't script kiddies. These are operators comfortable crossing from keyboard to kneecap.

Trust inversion: "Ransomware is a cyber problem" used to mean "call the IR team." Now it means "call the IR team AND consider physical security."

The Meta-Pattern

Lay them out:

| What You Trusted | What It Became | IOC Count | |------------------|----------------|-----------| | GitHub PoC repos | Malware droppers | 15+ repos, 3 hashes, 2 C2s | | Google email infrastructure | Phishing delivery | 9,394 emails | | CAPTCHA verification | Command injection | 7 domains, 2 hashes | | Database authentication | Memory disclosure | All versions < patch | | Insurance companies | Data exfiltration | 22.65M records | | Cyber-only threats | Physical violence | 40% of victims |

Each one takes something we trained ourselves to trust and weaponizes that trust.

This isn't new. Social engineering has always exploited trust. But 2025 is different because the *platforms themselves* are being abused. It's not "attacker pretends to be Google." It's "attacker uses actual Google infrastructure to send actual Google emails."

The uniform is real. The soldier wearing it isn't.

Pattern 46: Credibility Compression

We've been tracking this as Pattern 46 in our threat intel work.

Credibility Compression: When the signals that used to indicate trustworthiness become fakeable at scale.

| Signal | Status (2025) | |--------|---------------| | Verified checkmarks | Buyable ($8/month) | | HTTPS padlock | Free (Let's Encrypt) | | GitHub stars | Purchasable | | Google email origin | Abusable (Application Integration) | | Professional website | $50 template | | Security researcher profile | Create in an afternoon |

Every signal that used to mean "this is legitimate" is now just another vector.

The compression happens because defenders can't keep up. We taught users "look for the padlock." Attackers got padlocks. We taught users "check if it's from Google." Attackers send from Google.

The credibility signals compress toward zero information value.

What This Means

For defenders: Stop teaching binary trust signals. "GitHub is safe" is wrong. "Google emails are safe" is wrong. "CAPTCHAs are safe" is wrong.

• Who authored this repo? What's their history?

• Why is Google emailing me about this? Did I trigger this workflow?

• Why is this CAPTCHA asking me to open Terminal?

For threat intel: Track trust inversions as a category. When a new trusted platform gets weaponized, document it. The pattern is the product.

For security teams: Assume every trust relationship is an attack surface. Your vendors, your platforms, your authentication flows, your incident response procedures. If you trust it, someone's figuring out how to abuse it.

The Bigger Picture

Attackers aren't getting smarter. They're getting *lazier in the right ways*.

Why build your own infrastructure when you can abuse Google's? Why craft convincing emails when you can send real Google emails? Why social engineer users when you can social engineer the platforms users trust?

The ROI calculation changed. Building credible attack infrastructure used to be hard. Now you just borrow someone else's credibility.

Trust is the new attack surface because trust is the one thing defenders can't patch.

You can patch MongoDB. You can't patch "users trust Google."

The Uncomfortable Conclusion

We built the internet on trust relationships. Certificate authorities trust domain owners. Users trust certificate authorities. Platforms trust authenticated users. Organizations trust platforms.

Each link in that chain is a potential inversion point.

The question isn't "how do we restore trust?" Trust was always an approximation. A shortcut. A heuristic that worked until it didn't.

The question is: What do we do when the heuristics fail?

I don't have a clean answer. But I know the first step is seeing the pattern.

Every campaign this week inverts a trust relationship. That's not coincidence. That's strategy.

The attack surface is trust itself.

IOC Summary (Machine-Readable)

Webrat C2 Infrastructure ``` ezc5510min.temp.swtest[.]ru shopsleta[.]ru ```

ClickFix/AMOS Infrastructure ``` panel-spectrum[.]net spectrum-ticket[.]net cf-verifi.pages[.]dev applemacios[.]com 192.124.176[.]103 141.98.80[.]175 ```

File Hashes (MD5) ``` # Webrat 28a741e9fcd57bd607255d3a4690c82f a13c3d863e8e2bd7596bac5d41581f6a 61b1fc6ab327e6d3ff5fd3e82b430315

CVEs to Patch Today ``` CVE-2025-14847 (MongoDB - CRITICAL) CVE-2025-10294 (WordPress OwnID - lure) CVE-2025-59295 (IE buffer overflow - lure) CVE-2025-59230 (Windows RasMan - lure) ```

*DugganUSA LLC - Minnesota-based threat intelligence. We sweep the nets so you don't have to.*

*All threat data referenced in this post is available via our STIX feed and OTX profile.*

• [Kaspersky Securelist - Webrat via GitHub](https://securelist.com/webrat-distributed-via-github/118555/)

• [Check Point - Google Cloud Phishing](https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection)

• [CloudSEK - AMOS ClickFix Campaign](https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers)

• [The Hacker News - MongoDB CVE-2025-14847](https://thehackernews.com/2025/12/new-mongodb-flaw-lets-unauthenticated.html)

• [TechCrunch - Aflac Breach](https://techcrunch.com/2025/12/23/us-insurance-giant-aflac-says-hackers-stole-personal-and-health-data-of-22-6-million-people/)

• [The Register - Physical Violence Threats](https://www.theregister.com/2025/12/28/death_torture_and_amputation_how/)

• [BleepingComputer - WebRAT GitHub](https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/)

• [Huntress - ClickFix Rhadamanthys](https://www.huntress.com/blog/clickfix-malware-buried-in-images)

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]