DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

We Found Their Server: Pattern #38 C2 Infrastructure Exposed

Patrick Duggan
Nov 24, 2025
5 min read

November 24, 2025 | Pattern #38 Series | OSINT Investigation

Yesterday we caught 15 GitHub accounts attacking open source repositories with Rhadamanthys infostealer. Today we found where they're hiding.

• C2 Server: `149.102.156.62` (Contabo GmbH, Germany)

• Exfiltration Endpoint: `http://149.102.156.62/5dc60508ab2db3b4.php`

• Staging Repo: `winchmrsmilegodsgf/automatic-octo-parakeet` (SUSPENDED)

• 2 attackers still active: FireSuper & rampubg14-cmyk

• Shared infrastructure: Same malware, same C2, coordinated campaign

The Starting Point: A Hash

When we analyzed the malware from yesterday's attacks, two different accounts posted the exact same file:

SHA-256: 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68

FireSuper posted it to CleansheetLLC/Cleansheet. rampubg14-cmyk posted it to rospogrigio/localtuya.

Same hash = same infrastructure = time to dig.

The API Dingus Moment

First mistake: trying to scrape VirusTotal's website with WebFetch. JavaScript SPAs don't work that way.

Second mistake: fumbling with bash/jq trying to parse JSON like it's 1999.

The fix: Use the goddamn API like a professional:

python
import urllib.request
import json

VT_API_KEY = "your_key_here" MALWARE_HASH = "23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68"

url = f"https://www.virustotal.com/api/v3/files/{MALWARE_HASH}" headers = {"x-apikey": VT_API_KEY}

req = urllib.request.Request(url, headers=headers) with urllib.request.urlopen(req) as response: data = json.loads(response.read().decode('utf-8'))

Results: 7 contacted IPs. 6 were GitHub/Fastly (legitimate). 1 was not.

The C2 Server

149.102.156.62

VirusTotal verdict: 11 security vendors flagged as MALICIOUS Provider: Contabo GmbH (Dusseldorf, Germany) Network: 149.102.128.0/19 via Cogent Communications

Behavioral analysis revealed the exfiltration endpoint:

POST http://149.102.156.62/5dc60508ab2db3b4.php

That's where your GitHub tokens go when you download their "fix."

The Attack Flow (Now Complete)

• Create GitHub account

• Add generic AI bio

• Let it age to bypass filters

• FireSuper: 160 days dormant

• rampubg14-cmyk: 112 days dormant

• anuxagfr: 104 days dormant

• Create repo: `winchmrsmilegodsgf/automatic-octo-parakeet`

• Upload second-stage payloads to GitHub Releases:

• Status: Repo DELETED, account SUSPENDED (thank you GitHub Security)

• Monitor GitHub for new issues (webhooks/polling)

• Target small/medium projects (single maintainer preferred)

• Pre-stage malware ZIPs with generic names

• Issue opened → automated response

• Generic message: "This should be the fix" / "I used this fix"

• Attach malware ZIP

• Never follow up (hit-and-run)

Phase 5: Execution (if victim downloads) 1. Victim opens ZIP → malware executes 2. Malware downloads `kkwerii.ps1` from staging repo 3. PowerShell executes Rhadamanthys infostealer 4. Stolen credentials POST to `149.102.156.62/5dc60508ab2db3b4.php` 5. Attacker exfiltrates: GitHub tokens, API keys, browser passwords

• Use stolen GitHub token to push backdoor to repo

• Backdoor propagates to all users

• Supply chain catastrophe

The "Why Are They Still Active?" Problem

anuxagfr: 13 repos attacked → SUSPENDED ✅ winchmrsmilegodsgf: Staging repo → SUSPENDED ✅ FireSuper: 1 repo attacked → ❌ STILL ACTIVE rampubg14-cmyk: 1 repo attacked → ❌ STILL ACTIVE

Why are the last two still online?

Because they used the same malware as the mass attacker, proving they're part of the same campaign. But GitHub Security suspended the mass attacker (13 repos) while leaving the single-repo attackers active.

• Shared malware hash (proof of coordination)

• C2 infrastructure (active exfiltration)

• Account profiles and attack timelines

• IOCs and STIX bundle

Update pending. We'll know they're serious when both accounts disappear.

The Shared Infrastructure Proof

# FireSuper's malware
SHA-256: 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68
Size: 2,647,996 bytes
Posted: Nov 23, 19:08 UTC

Byte-for-byte identical. Not "similar." Not "same family." Identical.

This is either: 1. Attack-as-a-Service (multiple customers, shared malware platform) 2. Same threat actor (testing multiple sleeper accounts) 3. Coordinated team (shared C2 infrastructure)

All three scenarios require centralized infrastructure. Which we found.

What We Did About It

1. Blocked the C2 IP via Cloudflare

curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rules/lists/$LIST_ID/items" \
  -H "Authorization: Bearer $API_TOKEN" \
  --data '[{
    "ip": "149.102.156.62",
    "comment": "Pattern #38 C2 - Rhadamanthys Infostealer (VT: 11 detections)"
  }]'

Result: All dugganusa.com subdomains now protected. C2 traffic blocked at CDN edge.

2. Reported to Abuse Contacts

• Cogent Communications: [email protected]

• Contabo GmbH: (upstream provider)

• AbuseIPDB: Submitted report with evidence

3. Reported Active Attackers to GitHub Security

• FireSuper: https://github.com/FireSuper

• rampubg14-cmyk: https://github.com/rampubg14-cmyk

• Evidence package: Malware hashes, C2 infrastructure, attack timeline, STIX IOCs

4. Published STIX Bundle

• Security vendors (ingest our feed)

• Open source maintainers (protect your repos)

• Incident responders (correlate with your logs)

Download: Pattern #38 STIX Bundle

The IOCs (Copy/Paste Ready)

Malware Hash: ``` SHA-256: 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68 MD5: 124c7623502a81b9ce8e862a91ccee59 SHA-1: 3bac34d0929da3c998a0e4b88937854a234e8618 ```

Network Infrastructure: ``` C2 IP: 149.102.156.62 C2 Endpoint: http://149.102.156.62/5dc60508ab2db3b4.php ASN: AS51167 (Contabo GmbH) Country: GB Network: 149.102.128.0/19 ```

GitHub Accounts: ``` FireSuper (ID: 172985207) - ACTIVE ❌ rampubg14-cmyk - ACTIVE ❌ anuxagfr (ID: 178107712) - SUSPENDED ✅ winchmrsmilegodsgf - SUSPENDED ✅ ```

Staging Infrastructure: ``` Repo: winchmrsmilegodsgf/automatic-octo-parakeet (DELETED) Payloads: kkwerii.ps1, kkwerii.zip ```

• GitHub account age: 90-180 days

• Zero contribution history before attack

• First activity = file attachment to issue

• Response time < 5 minutes (automated)

• Generic message (< 20 words, no technical detail)

• Hit-and-run (no follow-up discussion)

MITRE ATT&CK Mapping

Tactics: Reconnaissance → Resource Development → Initial Access → Execution → Command & Control → Exfiltration

• T1593.003: Search Open Websites/Domains (Code Repositories)

• T1585.001: Establish Accounts (Social Media)

• T1608.001: Stage Capabilities (Upload Malware)

• T1566.001: Phishing (Spearphishing Attachment)

• T1195.001: Supply Chain Compromise (Software Dependencies/Dev Tools)

• T1071.001: Application Layer Protocol (Web Protocols - HTTP POST to C2)

• T1041: Exfiltration Over C2 Channel

The "Don't Download Malware to Verify Hashes" Lesson

What I did (stupid): ```bash curl -sL "https://github.com/user-attachments/files/23697574/27205b7a34df.zip" -o /tmp/malware.zip sha256sum /tmp/malware.zip ```

What I should have done (smart): ```bash # Query VirusTotal API for hash metadata curl "https://www.virustotal.com/api/v3/files/$HASH" \ -H "x-apikey: $VT_API_KEY" | jq . ```

User's response: "don't infect me motherfucker lol"

Fair. Deleted immediately. Lesson learned: When VT says "9/59 vendors flagged as Rhadamanthys Stealer" - that's your answer. Don't download it to "verify."

What You Should Do

If you're an open source maintainer:

1. Enable 2FA for all contributors 2. Use code scanning (GitHub Advanced Security) 3. Check contributor history before accepting files 4. Never download files from first-time contributors without VirusTotal scan 5. Watch for Pattern #38 indicators: - Account 90+ days old - Zero previous contributions - Generic message - Response < 5 minutes - ZIP file attachment

If you're a security team:

1. Block C2 IP: 149.102.156.62 2. Ingest our STIX feed: Pattern #38 IOCs updated daily 3. Monitor GitHub webhooks for suspicious file attachments 4. Scan downloads with VirusTotal before execution 5. Educate developers about supply chain risks

If you're GitHub Security:

Please suspend FireSuper and rampubg14-cmyk. We sent you the evidence package. They're using the same malware as anuxagfr (who you already suspended). Same hash = same infrastructure = same threat.

The Bottom Line

15 repositories attacked. 1 C2 server found. 2 attackers still active.

We went from "malware ZIP" to "149.102.156.62/5dc60508ab2db3b4.php" in 4 hours of OSINT.

• VirusTotal API (not website scraping)

• Python urllib (not bash/jq fumbling)

• WHOIS lookups

• Behavioral analysis

• Hash correlation

• C2 blocked at CDN edge

• STIX bundle published

• GitHub Security notified

• Abuse contacts alerted

• Infrastructure mapped

Pattern #38 is contained. Campaign burned. IOCs public. Community protected.

Now we wait for GitHub to finish the job.

• [Pattern #38 Discovery](/blog/pattern-38-credential-leak-discovery) - How we caught them

• [Thank You ANUSFRAGGER](/blog/thank-you-anusfragger) - The 13-repo mass attack

• [STIX Feed](/api/v1/stix-feed/convergent-evolution) - Subscribe for IOC updates

• [GitHub Security Report](/evidence/github-security-report-firesuper-rampubg14) - Full evidence package

DugganUSA LLC Real-Time Supply Chain Defense for the Open Source Ecosystem Running on $75/Month. Protecting Microsoft, GrapheneOS, and Valve. Finding C2 Servers Before Breakfast.

*"We didn't wait for Contabo to takedown the server. We blocked it at our edge. That's the difference."*

• Nov 24, 09:40 UTC: C2 server identified (149.102.156.62)

• Nov 24, 09:34 UTC: Cloudflare block deployed

• Nov 24, 09:33 UTC: GitHub Security notified

• Nov 24, 09:40 UTC: STIX bundle published

• Nov 24, Status: FireSuper & rampubg14-cmyk still active, monitoring for suspension

🚨 Status Check: https://github.com/FireSuper | https://github.com/rampubg14-cmyk