DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Tradecraft Evidence: What 879,910 IOCs Look Like From the Inside

Patrick Duggan
Feb 19
4 min read

# Tradecraft Evidence: What 879,910 IOCs Look Like From the Inside

We index 6,085,861 documents across 22 indices. 879,910 of them are indicators of compromise. Here's what the threat landscape looks like when you can see all of it at once.

Four Active Campaigns

Our threat intelligence pipeline — PreCog sweep, OTX pulse ingestion, and source-specific feeds — is currently tracking four active nation-state campaigns:

**1. Amaranth-Dragon (APT41-linked) — China → Southeast Asia**

14 IOCs. Five C2 server IPs in the 92.223.x.x and 93.123.x.x ranges. Seven malicious domains including `todaynewsfetch.com`, `phnompenhpost.net` (typosquatting the Phnom Penh Post), `dailydownloads.net`, `easyboxsync.com`, and `storagesync.biz`. Source: CheckPoint Research, indexed February 15.

The domain choices are textbook tradecraft — impersonating legitimate news outlets and cloud storage services. `phnompenhpost.net` is one character off from Cambodia's paper of record. You don't register that by accident.

**2. RedKitten (IMPERIAL KITTEN-linked) — Iran → Iranian Activists**

Farsi-speaking threat actor deploying a custom implant called **SloppyMIO** against Iranian activists and NGOs documenting human rights abuses. Four unique malware hashes. Source: HarfangLab, indexed February 15.

This is a government targeting its own dissidents with bespoke malware. The name "SloppyMIO" comes from the malware's own internal strings — the developers left breadcrumbs.

**3. UNC3886 (Operation CYBER GUARDIAN) — China → Global**

Mandiant-tracked campaign deploying a four-tool kill chain: **TinyShell** (backdoor), **Reptile** (rootkit), **Medusa** (credential harvester), and **GOBRAT** (Go-based RAT). This is a sophisticated multi-stage intrusion toolkit targeting network edge devices.

Four different malware families in one campaign. That's not a script kiddie — that's a funded operation with a development pipeline.

**4. UAT-8837 (China-nexus) — China → North American Critical Infrastructure**

Cisco Talos tracks this group actively targeting critical infrastructure organizations in North America since 2025. Severity: critical.

Two of these four campaigns are Chinese. One is Iranian. All four were indexed on the same day. That's not a coincidence — that's the tempo.

The Cloudflare Problem

We're tracking **1,000+ malicious URLs** hosted on Cloudflare Pages (`pages.dev`) and **774 on Cloudflare Workers** (`workers.dev`). These aren't obscure hosting providers — this is legitimate infrastructure being systematically weaponized.

The tradecraft is elegant and infuriating:

- **`ledgerr---live.pages.dev`** — Crypto wallet phishing. Triple-hyphen to evade string matching. 273 total Ledger-impersonation domains in our index.

- **`facebook-d9e.pages.dev`** — Facebook credential harvesting. 61 Facebook/Meta impersonation URLs across our phishing index, including `meta-verify.click`, `meta-credit.us`, and `facebook-appeal.w3spaces.com`.

- **`assistnurture-guide-c9m.pages.dev/stabilizesupport-supply/`** — Randomized subdomain generation with path-based payload routing.

- **`duttweilerangel6891-sidebarg165895-flarew256.pages.dev`** — Hash-like subdomains designed to evade blocklists through uniqueness.

Cloudflare's free tier provides HTTPS, CDN distribution, and a trusted TLS certificate. The attackers get all the credibility of a legitimate cloud provider for zero dollars. Each URL gets a unique subdomain, so domain-based blocking catches one page and misses the next thousand.

134 GitHub Gist Payloads

Our PreCog engine flagged **134 malicious GitHub Gist URLs** on February 8. Gists being used as dead-drop payload hosts — the attacker uploads an encoded payload to a Gist, the malware on the victim's machine pulls from `gist.github.com`, and every SOC in the world has `github.com` whitelisted.

This is Pattern 38+ — supply chain and trusted-infrastructure abuse. The attacker doesn't need to stand up a C2 server when GitHub will host the payload for free with global CDN distribution.

CISA Is Burning

The Known Exploited Vulnerabilities catalog added 10 new entries in the first three weeks of February:

**February 10 (Microsoft Patch Tuesday — 6 CVEs actively exploited):**

- **CVE-2026-21513**: MSHTML protection mechanism failure — remote code execution

- **CVE-2026-21510**: Windows Shell protection bypass — remote code execution

- **CVE-2026-21533**: Remote Desktop Services privilege escalation

- **CVE-2026-21519**: Desktop Window Manager type confusion — privilege escalation

- **CVE-2026-21525**: Remote Access Connection Manager NULL pointer — denial of service

- **CVE-2026-21514**: Office Word untrusted input — remote code execution via document

**February 5:**

- **CVE-2025-11953**: React Native Community CLI — **command injection** (supply chain)

- **CVE-2026-24423**: SmarterMail — **authentication bypass** on ConnectToHub API

**February 3:**

- **CVE-2021-39935**: GitLab SSRF — a **2021 CVE** now being actively exploited in the wild

- **CVE-2025-64328**: FreePBX Endpoint Manager — OS command injection

Six Microsoft zero-days in one patch cycle. A React Native CLI supply chain injection. A five-year-old GitLab vulnerability that someone just discovered is still unpatched in production. And SmarterMail's API letting anyone bypass authentication entirely.

The Numbers

| Category | Count |

|----------|-------|

| Total documents indexed | 6,085,861 |

| Indicators of compromise | 879,910 |

| Malware indicators | 828,816 |

| Remote access trojans | 24,835 |

| Hijacked networks (Spamhaus DROP) | 18,785 |

| Phishing URLs | 18,298 |

| OTX pulses | 15,917 |

| Tor exit nodes tracked | 3,249 |

| CISA KEV entries | 1,513 |

| Active C2 servers | 169 |

| Named threat actors | 346 |

| STIX consumers | 275+ in 46 countries |

What This Means

The threat landscape isn't slowing down. It's accelerating. Four nation-state campaigns indexed in a single day. A thousand phishing pages on Cloudflare's free tier. GitHub Gists weaponized as dead drops. Microsoft shipping six actively exploited vulnerabilities at once. React Native's CLI compromised via supply chain injection.

And this is what two people in Minnesota can see for $76 a month.

The STIX feed is at `analytics.dugganusa.com/api/v1/stix-feed`. The IOC search is at `analytics.dugganusa.com/api/v1/search`. The Epstein document search is at `epstein.dugganusa.com`. All of it is free. All of it is real. Every number in this post is queryable.

275+ organizations in 46 countries are already consuming this feed. If you're not, you should be.

*Built by DugganUSA LLC. Every indicator is verifiable. Every campaign is sourced. The API is free.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*