DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Threat Level: ELEVATED

Patrick Duggan
Jan 30
3 min read

Current Status: ELEVATED

As of January 30, 2026, 10:48 AM CST, DugganUSA is reporting the global threat level as ELEVATED.

This is not normal. Here's why.

What "Elevated" Means

We track threat levels on a three-tier scale:

Level	Definition	What You Should Do
NORMAL	Background noise. Commodity scanners, opportunistic phishing, script kiddies.	Standard monitoring
ELEVATED	Nation-state activity above baseline. Active zero-days. Coordinated campaigns.	Increased vigilance, IOC blocking, patch prioritization
CRITICAL	Active mass exploitation. Wormable vulnerabilities. Infrastructure-level attacks.	All hands on deck

ELEVATED means the professionals are working. Not the amateurs.

The Data (As of This Morning)

Active C2 Infrastructure

Framework	Instances	Primary Geos
Empire/PowerShell	224	US, CN
Covenant	108	MX, CN, HK, SG, JP
Mythic	14	US, JP
Cobalt Strike	12	FI, CA, PL, DE, US, FR

358 active command-and-control instances across four major frameworks. This is coordinated infrastructure, not random noise.

Malware Families in the Wild

Family	Active IOCs	Geography
Emotet	240	US, DE, CA
Mythic C2	108	Multi-region
AsyncRAT	12	FI, CA, PL, DE, US, FR

Emotet—the malware that "died" in 2021—has 240 active indicators. It never left.

Nation-State Activity

Group	IOCs	Confidence	Origin
APT41 (Double Dragon)	21	94%	China

APT41 is active. This is a Chinese state-sponsored group that conducts both espionage and financially-motivated attacks. When APT41 is working, the threat level is not normal.

Today's BDE Scores

Our automated Oz system published 14 threat intelligence pulses today. Average BDE (Big Data Energy) score: 80-85.

BDE 70-79: Normal activity
BDE 80-89: Elevated activity
BDE 90+: Critical activity

We're running hot.

Why This Matters to You

1. Zero-Days Are Being Exploited

CVSS: 10.0
Patch: None available
Status: Actively exploited by UAT-9686 (China-nexus)

If you run Cisco Secure Email Gateway, you are currently unpatched against a maximum-severity vulnerability that nation-state actors are actively exploiting.

2. Cloud Infrastructure Is the New Battleground

Today's fresh phishing uses your trusted platforms:

Platform	Being Abused For
GitHub Pages	Amazon clone phishing
Gitbook	DeFi wallet theft
AWS S3	Credential harvesting
Backblaze B2	Brazilian banking fraud
Cloudflare R2	Generic phishing

Attackers aren't hosting on sketchy servers anymore. They're hosting on the same platforms you trust.

3. The Typhoon Family Is Pre-Positioning

Chinese APT groups (Volt Typhoon, Salt Typhoon, Flax Typhoon, Brass Typhoon) are actively pre-positioning in critical infrastructure:

Volt Typhoon: US utilities, communications, transportation
Salt Typhoon: Telecom interception (T-Mobile, AT&T, Verizon compromised)
Flax Typhoon: IoT botnet operations
Brass Typhoon: Southeast Asia espionage

Pre-positioning means: compromise now, activate later. The access is the objective.

4. Novel TTPs Are Emerging

DPRK actors are now using blockchain-based C2 (EtherRAT):

C2 addresses stored in Ethereum smart contracts
Cannot be seized or taken down
Updates on-chain, no infrastructure to block
Consensus voting prevents researcher poisoning

This is the first widespread use of blockchain C2 in the wild. The tradecraft is evolving.

What You Should Do

Immediate Actions

Block our IOCs

Patch Cisco AsyncOS (when available)

Hunt for Living-off-the-Land

Review cloud trust

Ongoing Vigilance

Subscribe to threat feeds (ours is free)
Monitor for unusual Ethereum RPC traffic from servers
Watch CISA KEV catalog for new additions
Assume nation-state actors are already in networks you trust

The Comparison

Normal Day - Commodity scanners probing ports - Opportunistic phishing with obvious tells - Script kiddies running Shodan queries - BDE scores: 70-75

Today (Elevated) - 358 active C2 instances across 4 frameworks - APT41 at 94% confidence - Unpatched CVSS 10.0 being actively exploited - Novel blockchain C2 in production - Cloud platforms weaponized at scale - BDE scores: 80-85

The difference isn't volume. It's sophistication.

How We Determine Threat Level

Our assessment combines:

Automated analysis (Butterbot Jr)

Manual correlation (Butterbot Sr)

Infrastructure telemetry

When both automated and manual analysis agree, we publish.

Today, they agree: ELEVATED.

The Feed

All IOCs backing this assessment are available free:

STIX 2.1 Feed `` https://analytics.dugganusa.com/api/v1/stix-feed ``

OTX Profile `` https://otx.alienvault.com/user/pduggusa ``

52,482 IOCs indexed
40 countries consuming
78 OTX subscribers
Updated continuously

Summary

Indicator	Status
Threat Level	ELEVATED
Nation-State Activity	Above baseline (APT41, Typhoon family)
Active Zero-Days	CVE-2025-20393 (CVSS 10.0, no patch)
Novel TTPs	Blockchain C2 (EtherRAT)
Cloud Abuse	GitHub Pages, S3, R2, Backblaze weaponized
Recommended Posture	Increased vigilance, active IOC blocking

The professionals are working. Your defenses should be too.

Patrick Duggan is founder of DugganUSA LLC, a Minnesota-based threat intelligence operation. He publishes threat levels because defenders deserve to know when to pay closer attention.

Questions? [email protected]

Get the IOCs

STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed
OTX: https://otx.alienvault.com/user/pduggusa
Blog: https://www.dugganusa.com

TLP:WHITE - Share freely.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.