DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Quiet Was The Signal: How We Caught DPRK Building Blockchain C2

Patrick Duggan
Dec 29, 2025
5 min read

Tags: threat-intelligence, dprk, lazarus, blockchain, etherrat, longitudinal-analysis

The Silence Before The Storm

Three weeks ago, I published a piece that pissed off exactly the right people.

CrowdStrike was screaming about "304 FAMOUS CHOLLIMA incidents." Palo Alto was warning of "DPRK insider threats on the rise." The headlines were doing what headlines do—selling fear, moving product, keeping the stock prices stable.

And my firewall logs said: 0% DPRK.

Nothing. Nada. Zero North Korean IPs. Not one.

I published it. "China 3%, Netherlands 26%". Called out the gap between vendor theater and ground truth. Pointed out that 97% of actual attacks came from commercial hosting providers, not nation-state infrastructure.

The response was predictable. Some folks got defensive. Some got curious.

I got suspicious.

When The Dog Doesn't Bark

Here's what 25 years of pattern recognition teaches you: the silence is the tell.

In Sherlock Holmes, it was the dog that didn't bark in the night. In poker, it's the player who suddenly stops betting. In threat intelligence, it's the major actor who vanishes from your telemetry while vendors insist they're everywhere.

DPRK didn't stop. They went underground.

The spray-and-pray scanning stopped. The commodity attacks dried up. They weren't hitting random infrastructure anymore.

They were *building something.*

The Sandtrout Theory

*Dune* has giant sandworms. Shai-Hulud. Impossible to miss. Terrifying. The thing everyone watches.

But the spice—the actual valuable resource—comes from the sandtrout. The little makers. The substrate nobody pays attention to.

When I noticed the DPRK gap on December 7, I wrote in my notes: "little shai-hulud observation."

Something was happening in the substrate. I just didn't know what yet.

December 28: They Surfaced

Christmas came and went. I spent it tracking DDoS infrastructure while everyone else ate ham. Standard holiday.

Then Sunday morning, coffee in hand, I'm doing the weekly threat sweep. And there they are.

DPRK. Back online. With new toys.

Two days after CVE-2025-55182 (React2Shell) dropped—a CVSS 10.0 in React Server Components—North Korean actors were already weaponizing it. Forty-eight hours from disclosure to deployment. That's nation-state speed.

But the exploit wasn't the interesting part.

The command and control was.

EtherHiding: The Blockchain C2

They built something beautiful and terrible.

EtherRAT stores its C2 address in an Ethereum smart contract. When the malware needs to phone home:

1. Queries 9 different Ethereum RPC endpoints in parallel 2. Uses consensus voting to determine the real C2 URL 3. Retrieves the address from the blockchain 4. Connects to the attacker's server

You can't take it down. You literally cannot seize an Ethereum smart contract. The FBI can't call a hosting provider. CISA can't issue a takedown notice. The blockchain doesn't care about your court orders.

The C2 address can be updated on-chain anytime. Victims don't need re-infecting.

Researchers can't poison the C2 pool—consensus voting filters out injected fake addresses.

And the blockchain is forever. This infrastructure doesn't decay. It doesn't expire. It just *exists*, waiting.

First widespread use of blockchain-based C2 in the wild.

I sat back and stared at it for a minute. Then I understood what the silence meant.

The Three Weeks We Missed

| Date | What Happened | |------|---------------| | Dec 7 | I publish "0% DPRK" observation | | Dec 3 | React2Shell CVE disclosed | | Dec 5 | DPRK actively exploiting with EtherRAT | | Dec 7-27 | They're rolling it out while I'm wondering where they went | | Dec 28 | Sunday Threat Sweep catches them | | Dec 29 | CISA deadline day. You're reading this now. |

The quiet period was exactly what you'd expect for capability development.

They went dark. They built blockchain C2. They waited for a CVSS 10.0 to drop. They weaponized in 48 hours. They deployed.

And for three weeks, the vendors kept screaming about 304 incidents while the actual development was happening in the substrate.

Cui Bono: Why Blockchain?

DPRK has stolen billions in cryptocurrency. Lazarus Group doesn't just target crypto—they *live* in it. Contagious Interview campaigns recruit crypto developers. BeaverTail malware harvests wallet credentials.

So where do you hide your C2 infrastructure if you're a crypto-focused threat actor?

In the goddamn blockchain.

It's domain-native. It's hiding the getaway car in the bank's parking garage. It's using the target's own infrastructure as persistence layer.

They're not just smart. They're *evolutionary*. This is what optimized predation looks like.

The Receipts

Block these now. Ask questions later.

EtherRAT Staging: ``` 193.24.123.68 ```

React2Shell C2: ``` 193.34.213.150 154.89.152.240 107.174.123.91 38.165.44.205 45.76.155.14 216.238.68.169 78.153.140.16 80.64.16.241 2.56.176.35 ```

Domains: ``` gfxnick.emerald.usbx.me api.qtss.cc conclusion-ideas-cover-customise.trycloudflare.com proxy1.ip2worlds.vip ```

Detection Opportunity That Matters:

Hunt for Ethereum RPC traffic from your web servers.

Your Next.js app should not be calling `eth_call` or `eth_getStorageAt`. It should not be talking to Infura or Alchemy or any Ethereum node.

If it is? You're already compromised.

Check These Persistence Locations: ``` ~/.config/systemd/user/*.service ~/.config/autostart/*.desktop @reboot cron jobs .bashrc / .profile injections ```

The Vendors Were Right And Wrong

CrowdStrike said 304 DPRK incidents. I saw zero in my telemetry.

Both are true. And that's the point.

When nation-state actors go dark in commodity telemetry, they haven't stopped. They've focused. They're off the spray-and-pray and onto targeted operations against high-value assets.

The vendor reports measure *something*. But it's not what's hitting general infrastructure. It's not what you're going to catch with standard sensors.

When they disappear from your view, they're not gone.

They're hunting.

What I Actually Do Differently

Every threat intel vendor will give you IOCs. Machines generate those. Big deal.

What I do:

1. Notice when actors go quiet (Dec 7: "Where's DPRK?") 2. Ask why (They're not gone, they're building) 3. Watch for emergence (Dec 28: EtherRAT with blockchain C2) 4. Connect across time (The gap predicted the capability)

That's not automation. That's intelligence.

The longitudinal view caught what the point-in-time snapshot missed.

The quiet WAS the signal.

Customers Protected

All IOCs live in the feeds:

OTX Pulse: DPRK EtherRAT

STIX Feed: ```bash curl https://analytics.dugganusa.com/api/v1/stix-feed ```

Free. Machine-readable. No NDA required.

The fancy vendors will give you a sanitized PDF in six weeks behind an enterprise paywall. I gave you the IOCs before you finished your coffee.

What's Next

EtherHiding is the first. It won't be the last.

• Other threat actors to adopt blockchain C2

• Evolution beyond Ethereum (Solana, Polygon, L2s)

• Smart contract obfuscation

• Cross-chain resilience

The substrate shifted. The sandtrout moved to the blockchain.

And somewhere in Pyongyang, a developer is probably reading this and smiling.

That's fine. I'm smiling too. This is the game.

The Bottom Line

| What They Said | What I Saw | What It Meant | |----------------|------------|---------------| | 304 DPRK incidents | 0% in my logs | They went focused, not gone | | Nation-state surge | Commercial hosting dominates | The scary names are theater | | Buy our product | Watch your silence | The data is already there |

The quiet period predicted the capability emergence.

Three weeks of silence. One novel C2 technique. Zero vendor warnings about blockchain infrastructure.

I was watching. They were building. Now we both know.

Watch the silence. That's where the sandtrout hide.

*DugganUSA LLC* *$77/month. 2M+ IOCs. Watching the quiet while vendors sell the noise.*

*"The absence of signal IS the signal."*

• AlienVault OTX: https://otx.alienvault.com/user/pduggusa

• STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed