DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The March 2026 Threat Landscape: F5 Source Code in Enemy Hands, 25 Million Records Breached, and Why Your Edge Devices Are the New Front Door

Patrick Duggan
Mar 3
3 min read

# The March 2026 Threat Landscape: F5 Source Code in Enemy Hands, 25 Million Records Breached, and Why Your Edge Devices Are the New Front Door

The security nets are on fire this week. Here is what we are tracking across 952,251 indicators, 350 named adversaries, and 43.5 GB of indexed threat intelligence.

F5 BIG-IP: The Breach That Keeps Giving

CISA issued Emergency Directive 26-01 after a nation-state actor compromised F5 systems and walked out with BIG-IP source code and undisclosed vulnerability data. The breach dates to August 2025. The consequences are unfolding now.

What they got: proprietary source code, vulnerability research, the ability to find zero-days through static analysis of code that sits in front of 260,000 internet-facing deployments worldwide.

What that means: embedded credentials exposed, API keys compromised, lateral movement paths mapped, persistent access established. F5 released 44 CVEs in one patch bundle — 27 High severity. The BRICKSTORM backdoor, tracked by Google as UNC5221, connects this directly to a China-nexus threat actor.

The scariest part is not the CVEs they patched. It is the ones the threat actor found in the source code that nobody else knows about yet. When you have the source, you do not need to fuzz. You read.

> CVE-2025-53868: Authentication bypass, CVSS 8.7

> CVE-2025-61955: F5OS vulnerability, CVSS 8.8

> CVE-2025-57780: F5OS vulnerability, CVSS 8.8

> CVE-2026-1281: Unauthenticated code injection, actively exploited

> CVE-2026-1340: Unauthenticated RCE, actively exploited

If you run F5 BIG-IP — and statistically, you probably do — patch now. Not tomorrow. Now.

The Ransomware Scoreboard (Last 72 Hours)

The pace is not slowing down.

Conduent lost data on 25 million people. Brightspeed, a US telecom, had over one million customer records stolen by the Crimson Collective. Peru's National Water Authority lost 2TB to Black Shrantac. Hawaii's cancer research program exposed 87,000 participant records. An Israeli manufacturer lost 1TB in silence. SK-Telecom got hit by CoinbaseCartel. AkzoNobel, one of the world's largest chemical companies, is dealing with a claimed breach.

That is one week. Seven days. Multiple sectors. Multiple countries. Multiple groups.

The trend line is not encouraging. Ransomware-as-a-Service has industrialized. The barrier to entry is a Telegram channel and a crypto wallet. And the targets are shifting — operational technology, critical infrastructure, healthcare, water systems. The things that matter.

What Our Nets Are Catching

Our PreCog Sweep flagged a novel C2 domain — c2.muksecurity.fun — before it appeared in any public feed. That is what autonomous threat hunting looks like at machine speed.

The Cobalt Strike infrastructure we track continues to expand. Our latest OTX pulse maps active beacons across multiple ASNs. The SSL Blacklist is catching C2 callbacks to domains hosted on Baidu cloud infrastructure, which tells you something about the operational security (or deliberate misdirection) of the operators.

Across our corpus we are tracking 8,357 hits for C2 infrastructure, 82,498 phishing URLs, and 2,898 supply chain indicators. The IOC index is actively ingesting — 952,251 and climbing.

The APT Landscape

Four groups worth watching right now:

Amaranth-Dragon, a Chinese-aligned group linked to APT41, is running espionage campaigns against government targets using directory traversal and command injection (CVE-2025-8088, CVE-2025-11953).

RedKitten, a Farsi-speaking actor, is deploying the SloppyMIO implant against Iranian activists. We have four SHA256 hashes in our index.

UNC3886, China-nexus, executed what Mandiant called a "massive" campaign against internet-facing devices — which circles right back to the F5 problem.

UAT-8837, another China-nexus group reported by Cisco Talos, is actively targeting critical infrastructure.

The pattern is clear: edge devices are the new perimeter, and nation-states are treating them as front doors.

What This Means for Our STIX Consumers

Our 275+ consumers across 46 countries get all of this. The C2 infrastructure, the Cobalt Strike beacons, the phishing URLs, the novel IOCs from PreCog — it all flows through the feed. At the current ingest rate, we will cross one million IOCs this month.

The F5 situation is exactly why government-sourced, independently indexed threat intelligence matters. When the vendor is the one compromised, you need a source that is not the vendor. CISA published the directive. We indexed it. Our consumers can search it.

Same thesis, different domain: the government's own data, made searchable, protects against the government's own failures.

The Bottom Line

Patch your F5 devices. Audit your edge infrastructure. Assume that if a nation-state has your source code, they have already found vulnerabilities you have not. Monitor for BRICKSTORM indicators. And if you are not consuming threat intelligence at machine speed, you are reading yesterday's newspaper while tomorrow's attack is already in progress.

952,251 indicators. 350 adversaries. 43.5 GB. Updated continuously. That is the net.

DugganUSA is a threat intelligence company. We index government documents, map networks, and publish what we find. Our STIX feed serves 275+ consumers in 46 countries. Our Epstein document index — 398,525 DOJ files — is searchable at https://epstein.dugganusa.com.

STIX feed and threat intelligence: https://analytics.dugganusa.com

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*