DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Your Free CS2 Skins Are a Lie: 1,133 Steam Phishing URLs Found Today

Patrick Duggan
Dec 27, 2025
2 min read

Updated: Dec 27, 2025

--- title: "Your Free CS2 Skins Are a Lie: 1,133 Steam Phishing URLs Found Today" date: 2025-12-27 author: Patrick Duggan tags: [advisory, phishing, steam, gaming, clearfake, threat-intel] ---

The Campaigns Running Right Now

While you're recovering from Christmas, three active phishing campaigns are harvesting credentials. Our automated threat intelligence detected them today. Here's what to watch for.

Campaign 1: Fake Steam CS2 Skin Giveaways

1,133 phishing URLs detected

The domain `steamcomnmunity.com` (note the extra 'n') is pushing fake Counter-Strike 2 skin promotions. The lure is always the same: free Mirage skins, holiday giveaways, "apology" codes.

• Real Steam: `steamcommunity.com`

• Fake Steam: `steamcomnmunity.com`

That single extra letter is the difference between your account and someone else's.

Campaign 2: ClearFake via .qpon Domains

56 malicious domains detected

The `.qpon` TLD exists for one reason: to look like "coupon" to your brain. Today's variant uses `savefalke.qpon` with randomized subdomains:

• `hhgyqyai.savefalke.qpon`

• `r4ojz98h.savefalke.qpon`

• `yhkd41e4.savefalke.qpon`

These are ClearFake payload delivery domains. They push fake browser updates that install malware.

The pattern: Random subdomain + legitimate-looking parent domain + sketchy TLD = malware.

Campaign 3: Quasar RAT via Portmap

166 C2 domains detected

Portmap.host provides free port forwarding - and attackers love it for command-and-control infrastructure:

• `tspmo-40154.portmap.host`

• `wawreal-42593.portmap.host`

• `sosato-31557.portmap.host`

These are Quasar RAT command servers. If your machine is calling these domains, you're already compromised.

Why This Matters Now

Post-holiday emails are expected. "Sorry for the delay" is normal. "Here's a discount code" feels real.

Attackers know this. The apology-coupon play works because: 1. You're tired from the holidays 2. You expect delays and apologies 3. A coupon feels like compensation 4. Your guard is down

What To Do

1. Check URLs carefully - one letter changes everything 2. Ignore unsolicited discount codes - legitimate companies don't send apology coupons via sketchy domains 3. Block these TLDs at your firewall: - `.qpon` - `portmap.host` 4. Check our STIX feed - machine-readable IOCs for all 1,355 indicators: analytics.dugganusa.com/api/v1/stix-feed

The Data

• PreCog Sweep: Novel IOC detection

• Feed Harvest: OpenPhish, ThreatFox, AbuseIPDB correlation

• STIX 2.1: Machine-readable output for your SIEM

All indicators are freely available via our Democratic Sharing Law commitment.

*Detection timestamps: 2025-12-27 17:57-19:00 UTC* *Sources: OpenPhish, ThreatFox, PreCog autonomous hunting*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]