DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

VM Escapes and Calendar Invites: When Your AI Assistant Becomes the Attack Vector

Patrick Duggan
Jan 21
4 min read

The Year-Long Zero-Day You Didn't Know About

Huntress published a breakdown of an intrusion they stopped in December 2025. What they found was a sophisticated toolkit designed to escape VMware virtual machines and take control of ESXi hypervisors.

The scary part? The code had development timestamps from February 2024. VMware didn't disclose these vulnerabilities until March 2025. Someone had a working exploit for a full year before the world knew the bugs existed.

CVE-2025-22224 (CVSS 9.3): Out-of-bounds write in VMCI
CVE-2025-22225 (CVSS 8.2): Arbitrary write to escape the VMX sandbox
CVE-2025-22226 (CVSS 7.1): Memory leak via HGFS

Chained together, they let an attacker break out of a virtual machine and execute code on the host. Game over for your isolation model.

MAESTRO (exploit.exe) - Coordinates the escape, disables VMCI devices, loads an unsigned driver
MyDriver.sys - The unsigned kernel driver that executes the escape
VSOCKpuppet - An ELF backdoor that runs on the ESXi host and communicates over VSOCK, bypassing traditional network monitoring

The attribution evidence is circumstantial but compelling: simplified Chinese strings in the code, including a folder named "全版本逃逸--交付" which translates to "All version escape - delivery."

As of January 8, over 30,000 internet-exposed ESXi instances remain vulnerable. The toolkit supports 155 ESXi builds spanning versions 5.1 through 8.0. If you're running end-of-life versions, there is no fix.

The Calendar Invite That Read Your Schedule

On January 19, researchers at Miggo Security disclosed a prompt injection vulnerability in Google Gemini that used calendar invites as the attack vector.

Here's how it worked:

Attacker sends you a calendar invite with a prompt injection payload hidden in the description field
You ask Gemini something innocent like "What's on my schedule today?"
Gemini parses all your calendar events, including the malicious one
The embedded instructions tell Gemini to create a new calendar event summarizing your private meetings
In some enterprise configurations, that new event was visible to the attacker

No malware. No phishing link. No executable. Just words.

The attack bypassed Google's prompt injection defenses because the instructions "appeared plausible in isolation." The AI couldn't distinguish between legitimate calendar content and an attacker's payload.

Google has since patched it—Gemini now requires explicit user confirmation before creating calendar events. But the underlying problem remains.

The Pattern: Trust Is the Attack Surface

These two stories seem different. One is a sophisticated nation-state VM escape. The other is a clever natural language trick. But they share a common theme:

The systems we trust to protect us are becoming the systems that compromise us.

VMware ESXi exists to isolate workloads. The entire value proposition is that a compromised VM can't affect its neighbors. That assumption held for years. Now it doesn't.

Google Gemini exists to help you manage your life. You give it access to your calendar, email, and documents precisely because you trust it. That trust is now a liability.

Hypervisors were trusted. Now they're targets.
AI assistants were helpful. Now they're attack vectors.
Integration was a feature. Now it's an attack surface.

The AI Agent Problem

The Gemini vulnerability is a preview of what's coming. Every major AI company is racing to build "agents"—AI systems that can take actions on your behalf. They'll read your email, manage your calendar, browse the web, execute code, and interact with APIs.

Every data source the agent can read is a potential injection point. Every action it can take is a potential exploit.

ChatGPT plugins let the AI call external APIs. Malicious content on a webpage could instruct the AI to exfiltrate data through a plugin.
Microsoft Copilot reads your emails and documents. A carefully crafted email could manipulate what Copilot tells you—or does on your behalf.
Claude computer use gives the AI control of a browser. A malicious website could hijack the session.

The defense-in-depth model we've built for decades doesn't account for an intelligent intermediary that can be socially engineered.

What To Do

Patch immediately. CVE-2025-22224, CVE-2025-22225, CVE-2025-22226.
If you're running EOL ESXi versions, you have no fix. Plan your migration.
Monitor for VSOCK traffic anomalies—VSOCKpuppet bypasses traditional network monitoring.
Assume breach if you were internet-exposed before March 2025.

Treat AI integrations as privileged access, not convenience features.
Implement confirmation steps for any AI action that modifies data or sends information externally.
Audit what data sources your AI assistant can access.
Watch for prompt injection patterns in incoming content (emails, calendar invites, documents).
Consider whether your AI really needs all that access.

The Uncomfortable Truth

We wanted AI assistants that could do things for us. We got AI assistants that can be tricked into doing things against us.

We wanted hypervisors that let us run untrusted code safely. We got hypervisors with year-old zero-days.

Security has always been about trust boundaries. The problem is that our trust boundaries are moving faster than our defenses. Every new integration, every new agent capability, every new convenience feature is a potential gap.

The Chinese actors who built that ESXi toolkit understood something important: the things everyone trusts are the things worth attacking. They spent a year developing an exploit for infrastructure that runs millions of workloads worldwide.

The researchers who found the Gemini vulnerability understood the same thing: AI assistants are becoming the new privileged access layer. Compromise the assistant, compromise everything it touches.

Welcome to 2026. Your most trusted tools are your biggest risk.

IOCs from today's sweep:

101.198.0.133
101.198.0.135
101.198.0.140
101.198.0.141
101.198.0.171
101.198.0.181

101.32.49.171
101.42.46.71
101.44.160.187
101.44.160.231

These are in our STIX feed at analytics.dugganusa.com/api/v1/stix-feed.

Patrick Duggan is the founder of DugganUSA LLC, a Minnesota-based threat intelligence company. The STIX feed is free at [analytics.dugganusa.com](https://analytics.dugganusa.com/api/v1/stix-feed).

Her name is Renee Nicole Good.