DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Threat Brief: February 15, 2026 - Net Sweep

Patrick Duggan
Feb 15
3 min read

# Threat Brief: February 15, 2026 - Net Sweep

**Classification:** TLP:WHITE

**Author:** DugganUSA Threat Intelligence

Executive Summary

Our weekly net sweep identified five threat actors and four actively exploited CVEs that were missing from our index. We've corrected that gap. Here's what you need to know.

Critical: China-Nexus APT Surge

UNC3886 - Operation CYBER GUARDIAN

Singapore just disclosed the largest cyber operation in their history. UNC3886 compromised **all four** major telecom providers (Singtel, M1, StarHub, Simba Telecom) using zero-day exploits and rootkits.

**Key points:**

- 100+ cyber defenders from multiple government agencies participated in eviction

- Threat actor used GOBRAT ORB network for staging

- Deployed TinyShell, Reptile rootkit, and Medusa

- First flagged in July 2025, full eviction completed Feb 2026

**Source:** [Mandiant/Google Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations), [Team Cymru](https://www.team-cymru.com/post/tracking-orbs-on-singapores-telecommunications-networks)

Amaranth-Dragon (APT41-Linked)

Chinese-aligned group weaponized CVE-2025-8088 (WinRAR) within **10 days** of public exploit availability. Targeting government and law enforcement across Southeast Asia.

**Targeted countries:** Singapore, Thailand, Indonesia, Cambodia, Laos, Philippines

**Malware:** TGAmaranth RAT (Telegram C2)

**IOCs we indexed:**

- 5 C2 IPs (92.223.x.x range)

- 7 malicious domains

- CVE-2025-8088 weaponization indicators

**Source:** [Check Point Research](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/)

UAT-8837

Cisco Talos is tracking this China-nexus actor targeting **North American critical infrastructure** since 2025. They're exploiting vulnerabilities and stolen credentials, then using open-source tools for data theft.

**Source:** [Cisco Talos](https://blog.talosintelligence.com/predicting-2026/)

High: RedKitten - AI-Assisted Malware

Iranian state-aligned actors targeting activists and NGOs documenting human rights abuses. What's notable: **LLM-assisted malware development**.

**SloppyMIO implant features:**

- Telegram Bot API for C2

- GitHub Gists as Dead Drop Resolver

- Google Drive for module hosting

- LSB steganography for config concealment

- Anti-debugging, anti-AV evasion

**Why "SloppyMIO":** Each infection generates slightly different code, suggesting AI-assisted polymorphism.

**IOCs we indexed:** 4 SloppyMIO hashes, GitHub account (`johnpeterson1304`), scheduled task patterns

**Source:** [HarfangLab](https://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/)

Disputed: 0APT Ransomware (Likely Fake)

A "ransomware group" claiming 71 victims in 48 hours made headlines. We indexed it with a **30% confidence score** because:

- Intel 471 found files filled with **null bytes** - empty shells

- GuidePoint confirmed fabricated organization names

- No actual ransom notes or encrypted files confirmed

- Site went offline Feb 8, returned Feb 9 with different victim list

**Assessment:** Likely attention-seeking operation or data broker scam. Don't panic if you see your org listed.

**Sources:** [Intel 471](https://www.intel471.com/blog/likely-fake-ransomware-operator-0apt-causes-panic-our-analysis), [GuidePoint](https://www.guidepointsecurity.com/blog/gritrep-0apt-and-the-victims-who-werent)

Ransomware: Qilin Active

Legitimate ransomware group with confirmed victims:

- **Conpet** - Romanian oil pipeline operator

- **La Sapienza University** - Rome, forced 3-day shutdown

- **City of New Britain, CT** - Municipal disruption

- **OLV Pulhof School** - Belgium, demanded €100K then negotiated to €15K

CVEs: Patch Now

|-----|------|---------|--------|

| CVE-2026-1281 | 9.8 | Ivanti EPM Mobile | **Actively Exploited** |

| CVE-2026-1340 | 9.8 | Ivanti EPM Mobile | **Actively Exploited** |

| CVE-2025-8088 | 7.8 | WinRAR | **Weaponized by Amaranth-Dragon** |

| CVE-2025-11953 | 7.5 | React Native CLI | Disclosed |

**Action:** Upgrade WinRAR to 7.13+. Patch Ivanti immediately.

What We Did

1. **Fixed our IOC ingestion endpoint** - `POST /api/v1/threat-intel/iocs` now accepts authenticated IOC submissions

2. **Indexed 25+ new IOCs** - Threat actors, CVEs, C2 IPs, malicious domains, malware hashes

3. **Updated STIX feed** - All new indicators available via `GET /api/v1/stix-feed`

Graph Analysis Note

These China-nexus threats (UNC3886, Amaranth-Dragon, UAT-8837) may show relationship overlaps in our STIX v2 graph. APT41 linkages to Amaranth-Dragon suggest possible shared infrastructure or coordination. We're watching for cross-correlation patterns.

Sources

- [Check Point Feb 9 Threat Report](https://research.checkpoint.com/2026/9th-february-threat-intelligence-report/)

- [Red Piranha Weekly Intel](https://redpiranha.net/news/threat-intelligence-report-january-27-february-2-2026)

- [Google TIG AI Threats](https://blog.google/innovation-and-ai/infrastructure-and-cloud/google-cloud/gtig-report-ai-cyber-attacks-feb-2026/)

- [Singapore UNC3886 Disclosure](https://www.computerweekly.com/news/366638973/Singapore-mounts-largest-ever-cyber-operation-to-oust-APT-actor)

*Subscribe to our STIX feed: `https://analytics.dugganusa.com/api/v1/stix-feed`*

*Report threats: `POST /api/v1/threat-intel/report`*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*