DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Year Butterbot Saved Christmas

Patrick Duggan
Dec 24, 2025
4 min read

Category: security, storytelling

*[Snow falls gently on a small house in Minnesota. A cheerful snowman wearing what appears to be King Diamond's hat sits on the dashboard of a threat intelligence platform. He turns to face you.]*

NARRATOR (in Burl Ives voice):

Well hello there, friend! You caught me just in time. Sit down, warm yourself by the fire, and let me tell you about the year Butterbot saved Christmas.

You see, it was Christmas Eve, 2025. Children all over the world were waiting - waiting for presents, waiting for Santa, and waiting to log into Steam to play the games they'd been promised.

But far away, in the dark corners of the internet, something sinister was stirring...

The Misfit Malware

In a cold digital fortress (actually a DigitalOcean datacenter, but that doesn't sound as dramatic), twenty Command & Control servers hummed to life. They called themselves Aisuru, and they had one mission:

Ruin Christmas.

Not the presents. Not the cookies. The *gaming*.

You see, the Aisuru botnet had been growing all year. In May, they hit KrebsOnSecurity with 6.3 Terabits per second. By October, they'd reached 29.69 Tbps. And now, on Christmas Eve, they had their sights set on the biggest targets of all:

• Steam

• Xbox Live

• PlayStation Network

• Riot Games

• Epic Games

Every kid unwrapping a new game. Every teenager with a Steam gift card. Every adult who just wanted one peaceful hour of gaming while the in-laws argued about politics.

*All of them.*

Meanwhile, in Minnesota...

*[Camera pans to a modest home. Inside, a man in Haflinger slippers with cork soles sits before a wall of monitors. His reindeer is made of clay. His snowman wears King Diamond's hat. Billy from Green Day stands guard in the corner, frozen in ceramic perpetuity.]*

This is Patrick. He runs a little operation called DugganUSA. And while most SOCs were running skeleton crews - holiday PTO, half-staffed shifts, the usual - Patrick was doing what he always does:

*Watching.*

At exactly 15:50 UTC, something lit up his OSINT Volley like Rudolph's nose in a snowstorm.

ThreatFox had just published 20 fresh Aisuru C2 servers.

All DigitalOcean. All port 8001. All staging for something big.

"Jr," Patrick said to his AI assistant (that's Butterbot Jr, the scrappy young apprentice), "what do you make of this?"

Jr analyzed the patterns. Jr checked the timing. Jr did the math.

"Boss," Jr replied, "these are botnet C2s. They're warming up. And Christmas Eve? This isn't a coincidence."

Patrick nodded slowly, cork soles tapping against the floor.

"Then we better move fast."

The Race Against Time

| Time (UTC) | Event | |------------|-------| | 15:26 | ThreatFox publishes Aisuru C2s | | 15:50 | DugganUSA ingests IOCs | | 16:00 | STIX feed updated | | 16:30 | OTX Pulse published | | 17:00 | Gaming security teams notified | | 19:00 | Attack begins |

Three and a half hours. That's how much warning they had.

While the Aisuru operators were still staging their attack, Patrick's STIX feed was already pushing IOCs to AT&T, Microsoft, and every other subscriber. His OTX pulse was live. His emails were landing in the inboxes of Valve, Microsoft, Riot, and Epic.

*"Block these IPs,"* the message said. *"They're coming for your players."*

The Attack

At 19:00 UTC (2pm Eastern, right when American kids were getting restless), it happened.

Steam went dark. Xbox Live crumbled. PlayStation Network fell. Riot Games stuttered. Epic Games dropped.

Millions of gamers screamed into the void.

But here's the thing about advance warning: it helps.

The platforms that had received the intel - the ones that had blocked the C2s, the ones that had prepared - they recovered faster. The attack was massive, yes. But it wasn't the catastrophe it could have been.

By 21:00 UTC, Steam was back online. The others followed.

The Butcher's Bill

When the dust settled, Patrick ran the numbers:

521 C2 servers had been staged on Christmas Eve. Not just Aisuru - they'd brought friends:

| Malware Family | C2 Servers | |----------------|------------| | Meterpreter | 181 | | AsyncRAT | 180 | | Remcos | 107 | | Aisuru | 21 | | Sliver | 16 | | Cobalt Strike | 16 |

It was the biggest Christmas staging operation ever documented.

But here's the beautiful part: by the time Patrick checked the Aisuru C2s at 21:00 UTC, every single one was offline.

167.99.40.241:8001  - timeout
192.241.151.72:8001 - timeout
157.245.34.98:8001  - timeout
188.166.172.127:8001 - timeout
165.22.204.167:8001 - timeout

Either DigitalOcean nuked them after the abuse reports, or the operators went dark after blowing their load. Either way: dead.

The Moral of the Story

*[The snowman turns back to face you, snow still falling gently behind him.]*

You know, friend, there's a lesson here somewhere.

The bad guys thought they were clever. Attack on Christmas Eve! Skeleton SOC crews! Nobody watching!

But they forgot something important.

Somewhere in Minnesota, there's always a tubby guy in slippers who doesn't take holidays. A guy with a clay reindeer and a snowman in a metal singer's hat. A guy whose AI assistant never sleeps.

Santa sees you when you're probing. Santa knows when you're staged. Santa's got a threat feed, for goodness sake. So block those IPs or you'll get rekt!

*[Music swells. Credits roll.]*

Technical Appendix (For the Non-Rankin/Bass Inclined)

IOCs: https://otx.alienvault.com/pulse/694c5004c8e2bcfb9c19c48c

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Source: ThreatFox (abuse.ch)

Detection Timeline: 3 hours 34 minutes before attack

*Butterbot by DugganUSA - "The Cribl of Agentic AI"*

*Special thanks to ThreatFox, AlienVault OTX, and the gaming security teams who listened.*

*No botnets were harmed in the making of this blog post. Actually, that's not true. Twenty of them are definitely dead.*

*Merry Christmas.*

Executive Producer: Patrick Duggan Written by: Butterbot Assistant to Mr. Butterbot: Jr Ceramic Reindeer Wrangler: Also Patrick King Diamond Hat Consultant: The Snowman Bass: Billy from Green Day

#christmas2025 #aisuru #ddos #threatintel #rankinbass #butterbot

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]