DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Receipts

Patrick Duggan
Dec 11, 2025
5 min read

--- title: "Who Are The Bad Guys Right Now? December 2025 Threat Landscape with Receipts" slug: bad-guys-december-2025-threat-landscape date: 2025-12-12 author: Patrick Duggan tags: [threat-intelligence, apt41, emotet, brand-weaponization, bulletproof-hosting] category: Threat Intelligence featured: true ---

At 3:12 AM Central on December 12, 2025, I pulled our production threat intelligence database. Not a summary. Not a report someone else wrote. The actual data from our STIX 2.1 feed that Microsoft is polling 215 times a week.

920 indicators. 40 countries. 146 unique ISPs. Here's who's attacking right now.

The Countries

| Country | IOCs | Avg Abuse Score | Total Reports | What's Happening | |---------|------|-----------------|---------------|------------------| | 🇺🇸 United States | 296 | 81% | 78,862 | Cloud infrastructure abuse | | 🇸🇬 Singapore | 229 | 41% | 14,170 | Asian cloud hub exploitation | | 🇨🇳 China | 70 | 62% | 4,300 | State-adjacent ISP activity | | 🇭🇰 Hong Kong | 56 | 46% | 4,471 | China overflow operations | | 🇳🇱 Netherlands | 52 | 90% | 42,994 | Bulletproof hosting paradise | | 🇩🇪 Germany | 41 | 93% | 30,192 | Datacenter abuse | | 🇰🇷 South Korea | 9 | 93% | 4,646 | APNIC block exploitation | | 🇫🇷 France | 14 | 87% | 6,551 | FBW Networks problem |

The United States leads in raw volume because attackers love American cloud infrastructure. AWS, Azure, GCP - they spin up instances, attack, get burned, repeat. The 78,862 abuse reports tell the story.

But look at the abuse percentages. Netherlands at 90%. Germany at 93%. South Korea at 93%. These aren't volume leaders - they're precision strikes from bulletproof infrastructure designed to stay online.

The Worst ISPs (100% Abuse Score)

These ISPs have every single flagged IP at maximum abuse confidence:

| ISP | IOCs | Country | What They Are | |-----|------|---------|---------------| | Asia Pacific Network Information Center | 60 | KR | Abandoned IP space being squatted | | Microsoft Corporation | 55 | US | Abused Azure subscriptions | | DigitalOcean, LLC | 37 | SG | $5 droplet attack farms | | Google LLC | 26 | US | Abused GCP projects | | TECHOFF SRV LIMITED | 25 | NL | Dutch bulletproof hosting | | Amazon Technologies Inc. | 22 | SG | Abused AWS accounts | | ACEVILLE PTE.LTD. | 12 | HK | Tencent-adjacent infrastructure | | China Unicom Shanghai | 9 | CN | State ISP | | Tencent Cloud Beijing | 8 | CN | State-adjacent cloud | | FBW NETWORKS SAS | 7 | FR | French bulletproof hosting |

Microsoft, Google, Amazon, DigitalOcean - the biggest names in cloud computing - all showing 100% abuse scores on flagged IPs. This isn't the companies being malicious. It's attackers exploiting their infrastructure and the companies being too slow to respond.

TECHOFF SRV LIMITED in the Netherlands and FBW NETWORKS SAS in France? Those are the bulletproof hosters. They know exactly who their customers are.

Active C2 Frameworks

Command and control infrastructure we're seeing right now:

| Framework | Instances | Countries | Notes | |-----------|-----------|-----------|-------| | Empire/PowerShell Empire | 252 | CN, US | Post-exploitation favorite | | Covenant | 118 | CN, MX, HK, NL, SG, JP | .NET C2, popular with APTs | | Mythic C2 | 118 | CN, MX, HK, NL, SG, JP | Modern, modular, dangerous | | Cobalt Strike | 4 | FI, PL, CA | The classic, still kicking |

252 Empire instances. That's not script kiddies - that's organized operations running PowerShell post-exploitation at scale across Chinese and American infrastructure.

Active Malware Families

| Family | Detections | Countries | Status | |--------|------------|-----------|--------| | Emotet | 226 | US, DE, CA | Still alive, still spreading | | Mythic C2 | 118 | Multi | Active deployment | | AsyncRAT | 4 | FI, PL, CA | Targeted operations |

Emotet. 226 detections. The malware that "died" in 2021 when law enforcement took down its infrastructure. It's back. It never really left. US, Germany, and Canada seeing the most activity.

APT Activity

| Group | IOCs | Confidence | Origin | |-------|------|------------|--------| | APT41 (Double Dragon) | 18 | 94% | China |

APT41, also known as Double Dragon, Winnti, or Barium. Chinese state-sponsored group that does both espionage and financially-motivated attacks. 18 indicators at 94% confidence. They're working.

Brand Weaponization (Active Right Now)

These brands are being actively impersonated in phishing campaigns as of this writing:

| Brand | Active Attacks | Attack Types | Targeting | |-------|----------------|--------------|-----------| | Verification | 32 | Phishing | Account takeover flows | | Crypto | 20 | Phishing | Wallet theft | | GitHub | 15 | Phishing | Developer credentials | | Roblox | 11 | Phishing | Children | | Microsoft | 9 | Phishing | Enterprise credentials | | Bank | 9 | Typosquat, Phishing | Financial theft | | Facebook | 7 | Phishing | Social account takeover | | GoDaddy | 5 | Phishing | Domain hijacking |

Roblox. 11 active phishing campaigns targeting children. Domains like `roblox.com.ml`, `roblox.com.kz`, `injectroblox.ru`. They're going after kids for their parents' credit cards.

The "Verification" category - 32 active attacks - these are fake CAPTCHA and account verification pages designed to steal credentials. Domains like `account-captchapulse.com` and `account-extranetcheck.com`.

The Infrastructure Breakdown

Where are these attacks coming from?

| Infrastructure Type | Count | Percentage | |---------------------|-------|------------| | Datacenter | 575 | 62% | | Cloud | 243 | 26% | | Residential | 72 | 8% | | Proxy | 12 | 1% | | Unknown | 18 | 2% |

575 datacenter IPs. That's professional infrastructure. These aren't compromised home computers - these are rented servers in facilities designed for high-bandwidth operations.

72 residential IPs flagged. These are either compromised home networks or residential proxy services being used to mask attack origin.

The Threat Categories

| Category | Count | Percentage | |----------|-------|------------| | ABUSIVE_ACTOR | 508 | 55% | | SCANNER | 226 | 25% | | UNKNOWN_THREAT | 89 | 10% | | MALICIOUS_BOT | 86 | 9% | | PROXY_SERVICE | 11 | 1% |

508 abusive actors. Not scanners looking for vulnerabilities. Not bots probing infrastructure. Actors actively engaged in malicious activity against real targets.

Sample IOCs (You Can Block These Now)

From today's feed - STIX 2.1 format, ready for your SIEM:

• Multiple IPs at 100% abuse confidence

• All mapped to T1090 (Proxy) in MITRE ATT&CK

• Hosting C2 infrastructure

• 9 IPs at 99.9% average abuse

• Mapped to T1190 (Exploit Public-Facing Application)

• Scanning and exploitation activity

• 12 IPs at 100% abuse

• Tencent-adjacent infrastructure

• C2 and data exfiltration

How We Know This

Every indicator in our feed includes:

• Multi-source correlation: AbuseIPDB, VirusTotal, ThreatFox, Team Cymru, GreyNoise

• MITRE ATT&CK mapping: 86% of indicators mapped to specific techniques

• SSL/TLS enrichment: 93% of indicators include certificate analysis

• Bot classification: 100% of indicators classified by threat category

• ISP reputation scoring: Real-time reputation based on abuse patterns

44.5% of our indicators are primary source discoveries - threats we found that the major vendors missed.

The Feed

This data is free. No registration. No paywall.

https://analytics.dugganusa.com/api/v1/stix-feed

STIX 2.1 bundle format. Updates in real-time. Microsoft is polling it 215 times a week. You probably should too.

What To Do

1. Block the bulletproof hosters: TECHOFF SRV LIMITED, FBW NETWORKS SAS, ACEVILLE PTE.LTD. 2. Monitor cloud abuse: Flag high-volume requests from Azure, AWS, GCP that don't match expected patterns 3. Watch for brand impersonation: Especially "verification" and "account" themed phishing 4. Protect the kids: Roblox-themed phishing is targeting children right now 5. Assume Emotet is back: Because it is

*Data pulled from production systems at 2025-12-12T03:12:28.856Z. All indicators available in real-time via our public STIX 2.1 feed.*

*DugganUSA LLC. Minnesota. $75/month Azure bill. Finding threats that billion-dollar vendors miss.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]