DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Google Logo That Wasn't Google

Patrick Duggan
Dec 9, 2025
4 min read

--- title: "Brand Weaponization: They Stole Your Name and I Can Prove It" slug: brand-weaponization-they-stole-your-name date: 2025-12-09 author: Patrick Duggan tags: [threat-intelligence, brand-spoofing, ptr-spoof, osint, pattern-48] category: Threat Intelligence featured: true ---

December 9, 2025, 9:47 AM. Minneapolis. I'm staring at a word cloud where Google's logo is the biggest.

Not because Google is winning. Because Google is being *worn as a mask* by threat actors more than any other brand on the internet.

129 attacks. Google's name. Google's colors. Google's implied trust.

None of it was Google.

What Brand Weaponization Actually Means

When I say "brand weaponization," I'm not talking about marketing departments complaining about trademark dilution. I'm talking about something uglier:

PTR Record Spoofing - Configuring reverse DNS to claim you're `ns2.google.co.nz` when you're actually a VegasNAP datacenter in Las Vegas. IP 104.143.10.202. We caught that one last week.

Typosquatting - `gooogle.com`, `mircosoft.com`, `arnazon.com`. One letter off. Close enough to fool the tired and the trusting.

Credential Farms - Pattern 48. AEZA International LTD. A UK shell company registered at 311 Shoreham Street, Sheffield. REG.RU registrar. AS31514 OOO Trivon Networks. Russian infrastructure pretending to be `telegram.org`, `vk.com`, and `yandex.ru`.

The fake PTR records work because most security tools trust reverse DNS. If your IP says it's Google, plenty of firewalls will let you in.

The Numbers

We built an API to track this. Real-time. Scanning our Domains table and BlockedAssholes table (yes, that's what we call it) for patterns claiming to be brands they aren't.

As of this morning:

| Brand | Attack Count | Status | |-------|-------------|--------| | Google | 129 | Most spoofed brand on the internet | | Amazon | 123 | Close second | | Cloudflare | 12 | Infrastructure targets | | Apple | 6 | Phishing campaigns | | GitHub | 6 | Developer credential theft | | Facebook | 5 | Social engineering | | Banks | 4 | Financial fraud | | Microsoft | 3 | Enterprise intrusion |

Total: 11 brands tracked. 292 weaponization incidents.

And these are just the ones we caught. In one dataset. At one company.

The VegasNAP Discovery

December 3, 2025. Running a PTR spoof detection scan across 1,792 IPs in our AbuseIPDB cache. Looking for discrepancies between what an IP's reverse DNS *claims* to be and what forward DNS *confirms*.

16 raw detections. Most were false positives - Google Cloud Platform instances with legitimate PTR records that just don't have forward DNS configured. Amazon EC2 instances. Azure VMs. That's normal.

But one wasn't normal.

104.143.10.202

PTR record: `ns2.google.co.nz`

Forward DNS lookup: `NXDOMAIN`

That IP is not Google. That IP is not in New Zealand. That IP is in a Las Vegas datacenter pretending to be a Google nameserver in New Zealand.

That's the signal. That's what we hunt.

Pattern 48: The Sheffield Shell Company

October 2025. AEZA International LTD. Registered office: 311 Shoreham Street, Sheffield, UK.

Russian threat actors using a UK shell company for credential harvesting. Fake PTR records claiming to be:

• `github.com` - stealing developer credentials

• `telegram.org` - stealing comms credentials

• `vk.com` - stealing Russian social media credentials

• `yandex.ru` - stealing email credentials

• `rutube.ru` - covering their tracks

The registrar: REG.RU (Moscow) The ASN: AS31514 OOO Trivon Networks

The game: Set up PTR records to look legitimate. Get past IP reputation systems. Harvest credentials. Disappear.

We published this as OTX Pulse #100: `693319b9c0cfdf9b4d5cf3c6`

The Visualization

Built a word cloud. Logo size scaled by attack frequency. Square root distribution because linear scaling made Google swallow the screen.

function getLogoSize(attacks, maxAttacks) {
  const minSize = 48
  const maxSize = 120
  const ratio = attacks / maxAttacks
  return minSize + (maxSize - minSize) * Math.sqrt(ratio)
}

When a brand is under active attack, the logo pulses. Red indicator. Glowing drop shadow. The visual equivalent of "this is happening right now."

• Attack count

• Last seen timestamp

• Attack type badges (PTR Spoof, Typosquat, Phishing, Credential Farm)

• Example IOCs

We're not just saying "Google is spoofed." We're showing you `ns2.google.co.nz` at IP 104.143.10.202 in VegasNAP.

Specificity is credibility.

Why This Matters

Brand weaponization isn't a trademark problem. It's an infrastructure trust problem.

When an IP claims to be Google and your firewall believes it, that's a security failure. When your users see a login page at `gooogle.com` and enter their credentials, that's a trust failure.

The attackers know what you trust. They're wearing it.

The Detection Method

Simple in concept, painful in execution:

1. Get the PTR record (reverse DNS) 2. Check if it matches a protected pattern (Google, Microsoft, Amazon, etc.) 3. Do a forward DNS lookup on that PTR 4. If the forward lookup doesn't include the original IP, it's spoofed

The hard part: cloud providers legitimately don't configure forward DNS for their reverse records. Google Cloud Platform instances have PTR records like `123.45.67.89.bc.googleusercontent.com` but no forward DNS pointing back.

That's not spoofing. That's just how cloud works.

So we built exclusion patterns:

const CLOUD_PROVIDER_PTR_EXCLUSIONS = [
  /\.bc\.googleusercontent\.com$/i,
  /\.1e100\.net$/i,
  /\.googlefiber\.net$/i,
  /\.compute\.amazonaws\.com$/i,
  /\.cloudapp\.azure\.com$/i
]

When the PTR matches a cloud provider pattern, we don't flag it. When it claims to be `google.com` or `ns2.google.co.nz` from a datacenter in Las Vegas, we do.

What We Built

• Brand Weaponization API: `/api/v1/osint/brand-weaponization`

• Word Cloud Dashboard: Tab 6 in OSINT Analytics

• PTR Spoof Detection: `scripts/precog-sweep/workers/ptr-spoof.js` v1.1

• Cloud Provider Exclusions: 15 patterns to reduce false positives

Live at `analytics.dugganusa.com`. Tab called "Brand Attacks." Orange shield icon.

The Uncomfortable Truth

Google is the most spoofed brand because Google is the most trusted brand.

Amazon is second because Amazon handles your money.

Your firewall trusts reverse DNS. Your users trust login pages. Your security stack trusts reputation.

The attackers know this. They've been exploiting it for years.

We're just the ones who built a word cloud to show you what it looks like.

• AbuseIPDB cache (1,792 IPs)

• ThreatFox IOC feed

• URLhaus malicious domains

• Pattern 48 AEZA farm research

• Real-time DNS verification

• Live at [analytics.dugganusa.com](https://analytics.dugganusa.com)

• OSINT Analytics → Brand Attacks tab

• Pattern 48: [693319b9c0cfdf9b4d5cf3c6](https://otx.alienvault.com/pulse/693319b9c0cfdf9b4d5cf3c6)

*The logos in the word cloud aren't brand advertisements. They're mugshots. Evidence of who's being impersonated and how often. The bigger the logo, the bigger the target.*

*Google didn't ask to be the most spoofed brand on the internet. Nobody does.*

*But somebody has to count the masks.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]