DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Threat Brief: February 5, 2026 - Latrodectus C2 Infrastructure Surge

Patrick Duggan
Feb 5
3 min read

# Threat Brief: February 5, 2026 - Latrodectus C2 Infrastructure Surge

**TL;DR:** Pattern 55.3 C2 Hunter detected a surge in Latrodectus loader infrastructure - 4 of the top 5 critical C2 candidates are Latrodectus servers with identical certificate fingerprints. Also found: Kimsuky (North Korea), Cobalt Strike, Havoc, and Sliver C2s. 20 new IOCs indexed.

Priority 1: Latrodectus Campaign Active

**Status:** ACTIVE C2 INFRASTRUCTURE

Latrodectus (aka IceID successor) is staging infrastructure with a distinctive certificate pattern:

**Certificate Fingerprint:**

This is the OpenSSL default template - lazy operators spinning up C2s fast.

**Critical Latrodectus C2s:**

| IP | Score | Cert Flags |

|----|-------|------------|

| 93.116.248.13 | **105** | Self-signed, DGA, expired, default template |

| 104.238.205.20 | 90 | Self-signed, DGA, default template |

| 109.202.111.2 | 90 | Self-signed, DGA, default template |

**Action:** Block these IPs at your firewall. Monitor for Latrodectus delivery (typically via malicious documents or ISO files).

Priority 2: Kimsuky (North Korea) C2

**IP:** 139.99.86.89

**Score:** 85 (Critical)

North Korean APT infrastructure detected via Pattern 55.3 SSL analysis. Self-signed localhost certificate with expired validity.

**Action:** Block immediately. Review any connections to this IP in the last 30 days.

Priority 3: Red Team Framework C2s

Cobalt Strike (8 servers)

| IP | Score | Notes |

|----|-------|-------|

| 178.239.123.144 | 70 | Self-signed localhost |

| 13.41.96.167 | 45 | AWS - expired cert |

| 170.64.221.190 | 45 | DigitalOcean |

| 170.64.234.187 | 45 | DigitalOcean |

| 111.228.55.96 | 45 | China Telecom |

| 165.245.141.24 | 45 | Korea |

| 8.152.99.85 | 45 | Alibaba Cloud |

| 43.134.61.180 | 30 | Spoofed Baidu cert |

Havoc C2 (2 servers)

| IP | Score | Notes |

|----|-------|-------|

| 157.173.96.123 | 55 | IP-as-CN pattern |

| 64.225.65.17 | 30 | DigitalOcean |

Sliver C2 (3 servers)

| IP | Score | Notes |

|----|-------|-------|

| 213.109.147.96 | 50 | Default cert template |

| 142.11.205.47 | 45 | Spoofed China Mobile cert |

| 193.233.201.12 | 30 | Spoofed Bangladesh military cert |

**Action:** Review network logs for connections to these IPs. Investigate any hits.

Detection Methodology

**Pattern 55.3 - SSL C2 Hunter** uses a 12-signal confidence scoring model:

**Today's Hunt Stats:**

- 845 IOCs swept from ThreatFox

- 297 IP:port targets analyzed

- 65 HTTPS responsive

- 5 Critical, 2 High, 21 Medium confidence

IOCs Added to Index

20 new indicators indexed to DugganUSA threat intel:

- 18 C2 server IPs (Latrodectus, Kimsuky, Cobalt Strike, Havoc, Sliver)

- 1 malware family tracker (Latrodectus)

- 1 campaign tracker (Latrodectus February 2026 Surge)

Search at: `https://analytics.dugganusa.com/api/v1/search?q=Latrodectus&indexes=iocs`

Recommended Actions

1. **Immediate:** Block all critical C2 IPs (scores 70+)

2. **24 Hours:** Review firewall logs for any connections to listed IPs

3. **This Week:** Update threat intel feeds with new IOCs

4. **Ongoing:** Monitor for Latrodectus delivery mechanisms (malspam, ISO files)

Latrodectus Background

Latrodectus emerged in late 2023 as an IceID successor. Key characteristics:

- **Delivery:** Malicious documents, ISO files, HTML smuggling

- **Capability:** Loader/downloader for follow-on payloads

- **Operators:** Multiple threat actors use Latrodectus for initial access

- **Payloads:** Typically drops Cobalt Strike, ransomware, or banking trojans

The surge in infrastructure suggests an upcoming campaign.

Attribution Summary

| Actor | Nation | Infrastructure |

|-------|--------|----------------|

| Latrodectus operators | Unknown | 4 critical C2s |

| Kimsuky | North Korea | 1 critical C2 |

| Unknown (Cobalt Strike) | Various | 8 C2 servers |

| Unknown (Havoc) | Various | 2 C2 servers |

| Unknown (Sliver) | Various | 3 C2 servers |

*Published by DugganUSA LLC - Minnesota-based threat intelligence.*

*Pattern 55.3 finds what network logs miss.*

Sources

- ThreatFox (abuse.ch) - IOC feed

- DugganUSA Pattern 55.3 SSL C2 Hunter

- Shannon entropy analysis (MIT, Stanford, Berkeley, U of Toronto)

- JARM TLS fingerprinting (Salesforce)

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

Threat Brief: February 5, 2026 - Latrodectus C2 Infrastructure Surge

Priority 1: Latrodectus Campaign Active

Priority 2: Kimsuky (North Korea) C2

Priority 3: Red Team Framework C2s

Cobalt Strike (8 servers)

Havoc C2 (2 servers)

Sliver C2 (3 servers)

Detection Methodology

IOCs Added to Index

Recommended Actions

Latrodectus Background

Attribution Summary

Sources

Recent Posts

Comments