DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Threat Brief: February 5, 2026 - APT28 Goes Live, Supply Chains Under Fire

Patrick Duggan
Feb 5
3 min read

# Threat Brief: February 5, 2026 - APT28 Goes Live, Supply Chains Under Fire

**TL;DR:** APT28 is actively exploiting a new Microsoft Office vulnerability (CVE-2026-21509) targeting European military. Notepad++ supply chain compromised by Chinese actors. New ransomware syndicate hit 71 organizations in 48 hours. Russian wipers targeting Polish infrastructure. Patch now or pay later.

Priority 1: APT28 Operation Neusploit

**Status:** ACTIVE EXPLOITATION

Russia's APT28 (Fancy Bear) weaponized CVE-2026-21509 within 24 hours of disclosure.

**Targets:**

- European military and government

- Maritime and transport organizations

- Ukraine, Slovakia, Romania, Poland, Slovenia, Turkey, Greece, UAE

**Kill Chain:**

1. Malicious RTF/LNK files delivered via spear-phishing

2. CVE-2026-21509 bypass triggers shellcode loader

3. Steganographic payload hidden in SplashScreen.png

4. BEARDSHELL implant establishes persistence

5. NotDoor backdoor hijacks Outlook for C2

**Indicators:**

- `[email protected]` - threat actor email

- BEARDSHELL - C++ implant

- NotDoor/GONEPOSTAL - Outlook VBA backdoor

- MiniDoor - email stealer

**Action:** Patch Microsoft Office immediately. Block IOCs at email gateway.

Priority 2: Supply Chain Attacks

Notepad++ Compromised (Lotus Blossom)

China-linked Lotus Blossom compromised Notepad++ distribution infrastructure. Users who downloaded the editor received the Chrysalis backdoor.

**Action:** Verify Notepad++ installation hashes. Check for unauthorized network connections.

eScan Antivirus Compromised

MicroWorld Technologies suffered supply-chain attack. Malicious updates pushed through legitimate eScan updater.

**Action:** If running eScan, isolate systems and investigate.

Priority 3: New Ransomware Threat

0APT RaaS Syndicate

Emerged January 28, 2026. Compromised 71 organizations within 48 hours.

**TTPs:**

- AES-256/Salsa20 encryption

- Double extortion (encrypt + leak)

- Rapid deployment capability

**Action:** Verify backup integrity. Review network segmentation.

Priority 4: Wiper Attacks on Poland

Static Tundra Campaign

Russia-linked group targeting Polish energy and manufacturing sectors.

**Attack Path:**

1. Initial access via FortiGate SSL VPN

2. Reconnaissance and lateral movement

3. DynoWiper and LazyWiper deployment

4. Firmware damage and file corruption

**Action:** Patch Fortinet devices (CVE-2026-24858). Implement network monitoring.

Critical Vulnerabilities (Patch Now)

|-----|---------|------|--------|

| CVE-2026-21509 | Microsoft Office | 7.8 | **APT28 ACTIVE** |

| CVE-2026-24858 | Fortinet FortiCloud | 9.4 | **ACTIVE EXPLOITATION** |

Emerging Threats

RedKitten Campaign

LLM-assisted malware development targeting Iranian activists and NGOs.

- Password-protected Excel lures

- SloppyMIO implant with Telegram C2

- First confirmed AI-assisted threat campaign in 2026

Clawdbot Exposure

900+ exposed Clawdbot AI agent instances identified. Enables credential theft and RCE through misconfigured deployments.

IOCs Added to Index

19 new indicators indexed to DugganUSA threat intel:

- 5 CVEs (actively exploited)

- 7 malware families

- 2 threat actor emails

- 4 threat actor profiles

- 1 campaign tracker

Search at: `https://analytics.dugganusa.com/api/v1/search?q=APT28&indexes=iocs`

Recommended Actions

1. **Immediate:** Patch Microsoft Office (CVE-2026-21509)

2. **Immediate:** Patch Fortinet products (CVE-2026-24858)

3. **24 Hours:** Verify Notepad++ installations

4. **24 Hours:** Review FortiGate VPN logs

5. **This Week:** Audit backup and recovery procedures

6. **This Week:** Implement email attachment sandboxing

Attribution Summary

| Actor | Nation | Current Campaign |

|-------|--------|------------------|

| APT28 | Russia | Operation Neusploit (EU military) |

| Static Tundra | Russia | Polish infrastructure wipers |

| Lotus Blossom | China | Notepad++ supply chain |

| RedKitten | Unknown | Iranian activists (LLM-assisted) |

| 0APT | Unknown | Mass ransomware deployment |

*Published by DugganUSA LLC - Minnesota-based threat intelligence.*

*Stay frosty. Patch fast. Trust nothing.*

Sources

- [Check Point Threat Intelligence Report](https://research.checkpoint.com/2026/2nd-february-threat-intelligence-report/)

- [APT28 CVE-2026-21509 Campaign - The Hacker News](https://thehackernews.com/2026/02/apt28-uses-microsoft-office-cve-2026.html)

- [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

- Zscaler ThreatLabz

- Polish CERT

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*