DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Sleeper Has Awoken: How Our Honeypot Proved Threat Actors Read Our Blog

Patrick Duggan
Dec 4, 2025
6 min read

--- title: "The Sleeper Has Awoken: How Our Honeypot Proved Threat Actors Read Our Blog" slug: sleeper-has-awoken-honeypot-correlation-threat-actors date: 2025-12-04 author: Patrick Duggan tags: [honeypot, threat-intel, correlation, pattern-38, counterintelligence, dune] category: Threat Intelligence featured: true ---

The Setup

> *"The spice must flow."* — Frank Herbert, Dune

We run a satirical website at churchofdockermoreskin.com. It's a static nginx container serving one HTML page about DevOps philosophy delivered through absurd metaphors. It's not indexed. It's not promoted. It exists purely for the bit.

It's also a honeypot. And it just proved that threat actors are reading our threat intelligence reports.

The Correlation

We've been hunting Pattern 38 (GitHub supply chain sleeper accounts) for months. Every time we catch one, document it, and report it to GitHub Security, something interesting happens:

Our honeypot lights up.

| Date | Our Activity | Church Honeypot Spike | Correlation | |------|-------------|----------------------|-------------| | Nov 23 | Caught FireSuper attacking Cleansheet + anuxagfr mass attack (13 repos including VSCode) | Hong Kong: 374 requests (76% of traffic) | Same day | | Nov 25 | Suspensions processing, threat actors going dark | UK: 184 requests (60% of traffic) | 48 hours | | Nov 30 | Posted calling cards on 4 new malware accounts | Australia: 249 requests + 6 THREATS BLOCKED | Same day | | Dec 3 | Published Shai-Hulud worm analysis | Netherlands: 155 requests (59% of traffic) | Same day |

This isn't coincidence. This is cause and effect.

November 23: The Night Hong Kong Called

At 7:08 PM UTC, a sleeper account named "FireSuper" attacked our partner Paul Galjan's repository. 45 seconds from issue creation to malware delivery. Automated. Pre-staged.

We caught it. Documented it. Reported it.

Same evening: An account named "anuxagfr" launched a mass attack on 13 repositories in 19 minutes - including Microsoft VSCode (136M downloads/month) and GrapheneOS (the security-focused Android OS).

We caught that too. Documented it. Published it.

That night: Hong Kong traffic to churchofdockermoreskin.com exploded. 374 requests. 76% of the day's traffic. From a region that had never shown interest in our Docker philosophy before.

Someone was checking who caught them.

November 30: The Australia Spike

• pandit777 - Microsoft phishing pages

• zhu-bie - Crack distributor (3 repos in 3 days)

• Nero-Burning-Rom-Software - Brand impersonation

• pkmuhammabdullah675-a11y - Game crack spam

We posted "calling cards" - comments on their malware repos linking to our detection methodology. A way of saying "we see you."

• Australia traffic: 249 requests (72% of daily traffic)

• Threats blocked: 6 (highest single day ever)

• Source: Packethub S.A. - a Panama shell company routing through Australian IP space

They tried something. Cloudflare said no.

The Packethub Trail

We traced the Australia spike to a single entity:

| Field | Value | |-------|-------| | IP | 185.218.127.171 | | ASN | AS209588 | | Company | Packethub S.A. | | Registration | Panama (privacy jurisdiction) | | WHOIS Contact | [email protected] (Swedish email) | | Traffic Appeared As | Australian |

Panama corporation. Swedish contact. "Australian" traffic. Classic bulletproof hosting shell game.

This IP was already in 6 OTX threat intel pulses before we touched it. Known scanner infrastructure. They just pointed it at us.

The Pattern

Every spike correlates with our threat intelligence activity:

[Nov 23] You catch supply chain attack
         ↓
[Nov 23] Hong Kong probes your infrastructure (374 requests)
         ↓
[Nov 25] Suspensions process, network goes quiet
         ↓
[Nov 25] UK probes your infrastructure (184 requests)
         ↓
[Nov 30] You post calling cards on new accounts
         ↓
[Nov 30] Panama shell company attacks through Australia (249 req + 6 threats)
         ↓
[Dec 3] You publish Shai-Hulud worm analysis
         ↓
[Dec 3] Netherlands probes your infrastructure (155 requests)

They're watching. And every time they check who's watching them, they tell us where they are.

What We Built

The Church of Docker Moreskin isn't a joke. It's a thumper.

In Dune, Fremen use thumpers to attract sandworms. The rhythmic pounding brings them to the surface where they can be observed, tracked, and ridden.

• Unindexed domain = only people actively looking find it

• Cloudflare analytics = geographic distribution of every visitor

• Azure logs = raw user agents, exact timestamps

• GA4 = JavaScript execution (real browser vs bot)

• WAF = threat blocking and categorization

When we publish threat intel, we pound the sand. When threat actors come to check who's reporting them, the worm surfaces.

The Scorecard

| Their Move | Our Counter | Result | |------------|-------------|--------| | FireSuper attacks Cleansheet | Caught in 45 seconds | SUSPENDED | | anuxagfr hits 13 repos | Documented same day | SUSPENDED | | HK probes Church | Cloudflare logs everything | TRACKED | | Australia probes Church | WAF blocks, traced to Panama | OTX PULSE PUBLISHED | | Pattern 38 network operates | 44+ accounts mapped | NETWORK EXPOSED |

The Uncomfortable Truth

They're reading our blog.

• What we know

• How we found it

• What patterns we're watching

So they check our infrastructure. And our infrastructure watches back.

We're not just publishing threat intelligence. We're using threat intelligence publication as a lure. The act of reporting becomes the bait.

Cost/Benefit Analysis

• One nginx container (~$5/month)

• Cloudflare free tier

• GA4 free tier

• Time to correlate data

• Operational security blown

• Infrastructure exposed

• Geographic distribution revealed

• Timing patterns documented

Every time they poke us, they pay more than we do.

Recommendations for Defenders

1. Every domain is a sensor - Your forgotten microsites, dev servers, joke projects - they're all getting scanned. Instrument them.

2. Correlation is everything - Traffic spikes mean nothing in isolation. Map them against your public activity.

3. Publication is a tactic - When you publish threat intel, you're not just informing defenders. You're provoking attackers into revealing themselves.

4. Multi-dimensional analytics - Cloudflare sees the edge. Server logs see user agents. GA4 sees JavaScript execution. The truth lives in the overlap.

5. Honeypots don't need to be complex - A static HTML page with proper instrumentation catches more than an elaborate deception.

The Dune Parallel

They thought they were the Harkonnens controlling the spice. They thought their sleeper accounts and shell companies and VPN exits made them invisible.

We're the Fremen. We've been riding the worms the whole time.

Every probe. Every scan. Every "anonymous" visit from Hong Kong, Australia, Netherlands - it all feeds the pattern. And the pattern reveals the network.

What's Next

We're publishing this correlation publicly. Which means they'll read it. Which means they'll probe our infrastructure again. Which means we'll document that too.

The cycle continues. The spice flows both ways.

*"I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration."*

We're not afraid. We're watching.

The sleeper has awoken.

IOCs From This Analysis

Confirmed Infrastructure

| Indicator | Type | Context | |-----------|------|---------| | 185.218.127.171 | IPv4 | Packethub S.A. probe infrastructure - Nov 30 AU spike | | packethub.net | Domain | Shell company domain | | AS209588 | ASN | Packethub S.A. (Panama) | | yourserver.se | Domain | WHOIS contact for Panama shell |

Likely Infrastructure (Country Spike Correlation)

| ASN | Provider | Country | Spike Date | Requests | Correlation | |-----|----------|---------|------------|----------|-------------| | AS45102 | Alibaba Cloud | Hong Kong | Nov 23 | 374 (76%) | Same day as FireSuper/anuxagfr catch | | AS16276 | OVH | France | Nov 7 | 106 | ThreatFox integration published | | AS16276 | OVH | UK | Nov 25 | 184 (60%) | Nation-state attribution published | | AS60781 | Leaseweb | Netherlands | Dec 3 | 155 (59%) | Shai-Hulud worm analysis published | | AS39351 | Mullvad VPN | Sweden | Baseline | 17% constant | Privacy infrastructure baseline |

Published Intel

| Platform | URL | |----------|-----| | OTX Pulse #1 | Honeypot Recon Campaign - Nov 30 2025 | | OTX Pulse #2 | Full Correlation Analysis - Dec 2025 | | VT Graph | Church Honeypot Recon - Sleeper Has Awoken | | STIX Feed | analytics.dugganusa.com/api/v1/stix-feed |

Resources

• [Church of Docker Moreskin](https://churchofdockermoreskin.com) - The honeypot itself

• [VT Graph Intelligence Dashboard](https://analytics.dugganusa.com) - Live threat visualization

• [Pattern 38 Detection](https://www.dugganusa.com/post/free-automated-threat-intel-feed-for-planet) - Our supply chain attack methodology

• [DugganUSA STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Free threat intel feed

*The Church of Docker Moreskin: Teaching DevOps through absurdity, catching threat actors through existence.*

Tags: #honeypot #threat-intel #correlation #pattern-38 #counterintelligence #dune

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]