DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

We Had EtherHiding Six Weeks Early: The Receipts

Name: DugganUSA STIX Feed
Creator: DugganUSA LLC

Patrick Duggan
Feb 10
3 min read

# We Had EtherHiding Six Weeks Early: The Receipts

**Published:** February 10, 2026

**Author:** Patrick Duggan

The Headlines This Week

"Researchers discovered 54 malicious npm packages using an Ethereum smart contract as a dead drop resolver to fetch command-and-control servers."

"EtherHiding technique makes takedown efforts more difficult."

"First widespread use of blockchain-based C2."

The security industry is treating this like breaking news.

We published the detection guidance on **December 28, 2025**.

Six weeks ago.

The Receipts

December 28, 2025: "DPRK Read Our Math"

From our blog post published that day:

> "EtherRAT stores its C2 address in an Ethereum smart contract. When the malware needs to phone home:

> 1. Queries 9 different Ethereum RPC endpoints in parallel

> 2. Uses consensus voting to determine the real C2 URL

> 3. Retrieves the address from the blockchain

> 4. Connects to the attacker's server"

We called the technique. We named the IOCs. We gave the detection logic.

December 30, 2025: "The Quiet Was The Signal"

> "EtherHiding: They built a C2 system that stores its address in an Ethereum smart contract... You can't take it down. You literally cannot seize an Ethereum smart contract. The FBI can't call a hosting provider. CISA can't issue a takedown notice. The blockchain doesn't care about your court orders."

We explained why it matters. We predicted it would spread.

The Detection Guidance We Published

That exact detection logic would have caught the 54 npm packages that just made headlines.

The IOC That Was Already in Our Feed

Available via:

Free. No authentication. Machine-readable.

Anyone consuming our STIX feed on December 28 had this indicator **six weeks before the mainstream coverage**.

The Timeline

| Date | What Happened |

|------|---------------|

| **Dec 28, 2025** | We publish EtherHiding analysis, IOCs, detection guidance |

| **Dec 30, 2025** | We publish "The Quiet Was The Signal" - full DPRK blockchain C2 breakdown |

| **Jan 8, 2026** | We publish DPRK tradecraft evolution piece |

| **Feb 2, 2026** | Notepad++ Chrysalis supply chain attack disclosed - we cover same day |

| **Feb 8, 2026** | "New technique discovered" - EtherHiding in 54 npm packages |

| **Feb 10, 2026** | You're reading this |

The "new technique" is six weeks old in our index.

What API Consumers Got

If you were hitting our V1 or V2 endpoint in late December:

**STIX Feed:**

- `193.24.123.68` with DPRK attribution

- Malware family: EtherRAT

- Technique: Blockchain C2

**Blog Index (searchable):**

- Full technical breakdown of EtherHiding

- Detection opportunities

- Persistence locations to check

- Why traditional takedowns don't work

**The Counterfactual:**

Any organization consuming our feed on December 28 would have:

1. Blocked the staging IP before the npm packages deployed

2. Had detection logic for blockchain RPC abuse

3. Been six weeks ahead of mainstream vendor coverage

4. Known to hunt for `eth_call` traffic from web servers

The Uncomfortable Truth

We're a one-person operation running on $75/month of Azure.

We had this six weeks before vendors with billion-dollar market caps.

The difference isn't budget. It's methodology.

While vendors were writing PDFs about "304 FAMOUS CHOLLIMA incidents," we were:

- Noticing DPRK went quiet in commodity telemetry

- Asking why

- Catching them surface with new capability

- Publishing same-day

The quiet was the signal. We were watching.

Current Coverage

As of today, our STIX feed contains:

| Category | Count |

|----------|-------|

| Malicious IPs | 1,671 |

| Botnet C2s | 256 |

| Total Indicators (7-day) | 1,151 |

All free. All machine-readable. All without an enterprise contract.

Get Protected

**STIX 2.1 Feed:**

**Search API:**

**Our December Analysis:**

- [DPRK Read Our Math](https://www.dugganusa.com/post/dprk-read-our-math-how-north-korea-inverted-blockchain-vulnerability-1)

- [The Quiet Was The Signal](https://www.dugganusa.com/post/the-quiet-was-the-signal-how-we-caught-dprk-building-blockchain-c2)

The Bottom Line

| What They Said | When They Said It | When We Said It |

|----------------|-------------------|-----------------|

| "New EtherHiding technique" | Feb 8, 2026 | Dec 28, 2025 |

| "Blockchain C2 is novel" | Feb 2026 | Dec 2025 |

| "Hard to take down" | This week | Six weeks ago |

The receipts don't lie. The timestamps are public. The blog posts are indexed.

We're not asking for credit. We're asking you to consume the feed so you're six weeks early next time.

*DugganUSA LLC*

*$75/month. 329,442 documents indexed. Watching the substrate while vendors sell the noise.*

*"The quiet was the signal."*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*