DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Two Countries, Three Backdoors, One Weekend: Iran and China Got Busy

Patrick Duggan
Mar 9
3 min read

The Short Version

This weekend, two nation-state hacking groups dropped new malware on critical infrastructure. Iran hit US banks and airports. China hit South American phone companies. We indexed everything.

Iran: MuddyWater's New Toys

**Who**: MuddyWater (aka Seedworm). Iranian government hackers working for the Ministry of Intelligence.

**What they hit**: A US bank. An airport. Defense contractors. Nonprofits.

**How**: Two brand-new backdoors nobody had seen before:

- **Dindoor** — Built on Deno, a JavaScript runtime. Think of it like this: instead of bringing a lockpick, they brought their own door. The antivirus is looking for lockpicks. It doesn't know what Deno is. That's the trick.

- **Fakeset** — A Python script that phones home to Backblaze (a cloud storage company). Your firewall sees traffic to a legitimate cloud service and waves it through.

Both were digitally signed with fake certificates under the names "Amy Cherne" and "Donald Gay." The "Donald Gay" cert was previously used to sign other MuddyWater malware. That's how Symantec connected the dots.

**The sloppy part**: They used Rclone (a file-syncing tool) to steal data and dump it into a Wasabi cloud bucket. Rclone is a legitimate tool — IT departments use it every day. That's the whole point. Hide in plain sight.

**What we published**: 5 CVEs they're actively exploiting, mostly in Hikvision and Dahua security cameras. If you have Chinese-made cameras on your network, patch them yesterday.

China: UAT-9244's Telecom Takeover

**Who**: UAT-9244. Chinese state hackers with ties to FamousSparrow and possibly Salt Typhoon (the group that was inside US telecoms last year).

**What they hit**: Phone companies in South America. The infrastructure that carries your calls.

**How**: Three custom tools, one for each job:

- **TernDoor** (Windows) — Gets in through DLL side-loading. They abuse a legitimate program called `wsprint.exe` to load their malicious `BugSplatRc64.dll`. Windows trusts the legitimate program. The legitimate program loads the malware. Game over.

- **PeerTime** (Linux) — Uses BitTorrent for command-and-control. Your network sees BitTorrent traffic and thinks someone's downloading movies. It's actually a backdoor talking to Beijing. Runs on ARM, MIPS, PowerPC — basically anything with a chip.

- **BruteEntry** (Edge devices) — Written in Go. Sits on routers and network equipment, brute-forces SSH and PostgreSQL passwords, and turns compromised devices into proxy nodes. Your router becomes part of China's attack infrastructure.

**The infrastructure**: 24 IP addresses across Vultr, Kaopu Cloud HK (Lightnode), SC Global Data, and Cogent. Four IPs in the same /24 block on Kaopu — they rented a chunk. One IP (185.196.10.38) has a PTR record of `RDP-CWSzwvQS` — somebody left their RDP server name in the DNS. Sloppy.

**What we published**: 24 IPs, 3 domains, 42 file hashes. Everything Cisco Talos found, enriched with PTR records and VirusTotal reputation data.

Why This Matters

Two separate countries. Two separate campaigns. Same week. Same playbook: target critical infrastructure, use legitimate tools to hide, steal everything.

The difference between reading about this and doing something about it is having the IOCs in your firewall. We published both sets — free, in our STIX feed and on OTX.

The Feeds

- **UAT-9244 OTX Pulse**: [69 indicators](https://otx.alienvault.com/pulse/69aed6464de7a8689b02a06a) — 24 IPs, 3 domains, 42 SHA256 hashes

- **MuddyWater OTX Pulse**: [5 CVEs](https://otx.alienvault.com/pulse/69aed5a4fef4564e854b99d7) — Hikvision/Dahua vulns under active exploitation

- **STIX Feed**: [analytics.dugganusa.com/api/v1/stix-feed](https://analytics.dugganusa.com/api/v1/stix-feed) — 275+ consumers in 46 countries. Free.

Your threat feed should already have these. If it doesn't, you're paying too much for the wrong feed.

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*