DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

We Hunted Lapsus$ on GitHub. Here's What We Actually Found.

Patrick Duggan
Mar 2
5 min read

# We Hunted Lapsus$ on GitHub. Here's What We Actually Found.

**Date**: March 2, 2026

**Tags**: threat-intelligence, lapsus, scattered-spider, github, mfa-fatigue, malware-analysis, ioc

Lapsus$ doesn't live on GitHub. That's the first thing to understand. The group that breached Microsoft, NVIDIA, Samsung, Okta, T-Mobile, Uber, and Rockstar Games operated through Telegram channels, purchased credentials, SIM-swapped telecom insiders, and social-engineered help desks. They didn't push to public repos.

But when you hunt for them on GitHub, you find two things worth talking about: one fake, one real.

Find #1: The Fake — A Dropper Wearing Lapsus$'s Face

**Repository**: `peiceofmind/DEV-0537`

**Created**: March 17, 2024

**Language**: PowerShell

**Stars**: 0

A zero-follower GitHub account created March 9, 2024, spent two weeks building a persona. Windows 10 debloater. Minecraft mod. Windows optimization tool. The digital equivalent of buying a used truck and putting racing stripes on it.

On March 17, `peiceofmind` published `DEV-0537.ps1` — named after Lapsus$'s Microsoft tracking designation — and described it as a "leaked DEV-0537 spoofer."

It is not. It is a four-stage dropper targeting anyone curious enough to search for Lapsus$ hacking tools.

**The kill chain:**

**Stage 1 — Social proof lure.** The script opens `github.com/SecHex/SecHex-Spoofy`, a legitimate-looking HWID spoofer, in the browser. This is misdirection. While the victim is looking at a real GitHub page, stages 2-4 execute silently.

**Stage 2 — WinRAR silent install.** A WinRAR installer is fetched from an obfuscated CDN URL and installed with the `/S` flag. No window. No prompt.

**Stage 3 — AV kill.** A zip is pulled from Discord's CDN containing `DisableWinDefend-main\RunScript11.bat`. It runs with `RunAs` — elevated privileges. Windows Defender goes dark.

**Stage 4 — Payload drop.** `spoolsv_protected.exe` is delivered from Discord CDN, with a fallback pull from `github.com/peiceofmind/update/raw/main/spoolsv_protected.exe`. The filename spoofs Windows Print Spooler (`spoolsv.exe`) — a process most users and some analysts will not question in Task Manager.

The script's obfuscation is worth noting. Every URL and variable name is scrambled using format-string array indexing — `{4}{13}{5}{9}{6}` constructs that concatenate characters in shuffled order — combined with backtick insertion inside variable names (`${WIN\`RaR\`URL}`) to defeat static analysis. It is not sophisticated nation-state craft. It is a 17-year-old who read a tutorial. But it works against signature-based detection, which is the point.

**Who gets hit by this?**

Kids searching for "Lapsus$ tools," "DEV-0537 malware," or "how did Lapsus$ hack Microsoft." The persona — gaming mods, Windows tweaks — signals the target demographic: young, technically curious, already comfortable running unsigned PowerShell. The payload is likely a gaming credential infostealer. Steam accounts. Discord tokens. Crypto wallets.

This is not Lapsus$. This is someone profiting from the Lapsus$ brand with a commodity dropper and a GitHub account that costs nothing.

Find #2: The Real — Scattered Spider's Playbook, Published

**Repository**: `Uzseclab/mfa-fatigue-toolkit`

**Created**: January 1, 2026

**Language**: Shell

**Stars**: 1

This one is different.

Scattered Spider — formally UNC3944, tracked as DEV-0537's spiritual successor and in some assessments a Lapsus$ adjacent group — does not use exotic zero-days. Their signature initial access technique is MFA fatigue: send repeated authentication push notifications to a target until they accept one out of frustration or confusion. Combine that with a vishing call to the help desk pretending to be the employee, and you have Okta. You have MGM Resorts ($100M). You have Caesars Entertainment ($15M ransom paid).

On January 1, 2026, the Uzseclab organization published a shell-based toolkit that operationalizes exactly this. Targets: Azure AD, Okta, Duo. Features: configurable requests-per-second, random delays to evade lockout detection, modular provider architecture, comprehensive logging.

The README frames it as a red team tool. The author is credited as "Red Team Operator" — not a name, not a team, not a firm. The usage examples specify real enterprise domains without authorization context.

Scattered Spider's actual toolkit, as described in CISA and FBI advisories, looks like this. The group is known for publishing TTPs openly — partly because their members are young and reckless, partly because they've calculated that publishing techniques costs them nothing and earns them status.

We are not asserting Uzseclab is Scattered Spider. We are asserting that this toolkit operationalizes Scattered Spider's primary initial access vector exactly, was published with no defensive framing, and appeared twelve months after multiple high-profile Scattered Spider arrests — at which point new actors typically clone the playbook.

**Why this matters now:** The FBI charged five Scattered Spider members between November 2024 and February 2025. When a criminal group gets decapitated, the tooling doesn't disappear — it gets absorbed. Successors emerge. Affiliates go independent. The technique lives on in a shell script on GitHub with one star.

What Actual Lapsus$ Looks Like

For completeness: the only other Lapsus$-attributed content we found on GitHub is two repos by `bbaranoff` hosting the original 2022 NVIDIA and Samsung leak torrents. 190GB and 13-star respectively. These are archivists, not actors.

The actual Lapsus$ group communicated almost entirely via Telegram. Their data exfiltration happened through purchased access to corporate VPNs and MFA bypass. Their bragging happened in public Telegram channels. Their tools were Microsoft's own utilities — AzureAD PowerShell modules, legitimate remote access software, social engineering scripts that lived in their heads, not on GitHub.

The Brazilian members posted receipts. The UK teenagers recruited insiders in Discord DMs. None of it was on GitHub.

IOCs — Indexed to STIX Feed

The following indicators have been added to our database and will propagate to the STIX feed for our 275+ consumers in 46 countries:

**Campaign: Fake-Lapsus-DEV0537-Bait**

- `github.com/peiceofmind` — payload host account (URL, confidence 90%)

- `github.com/peiceofmind/update/raw/main/spoolsv_protected.exe` — primary payload delivery URL (URL, 95%)

- `DEV-0537.ps1` — dropper filename (filename, 85%)

- `RunScript11.bat` — AV killer component (filename, 88%)

- `spoolsv_protected.exe` — final payload, process-spoofing trojan (filename, 92%)

- `github.com/SecHex/SecHex-Spoofy` — distraction lure (URL, 70%)

**Campaign: Scattered-Spider-TTP-Toolkit**

- `github.com/Uzseclab/mfa-fatigue-toolkit` — MFA fatigue tool targeting Azure AD/Okta/Duo (URL, 78%)

Search these across the STIX feed at:

`https://analytics.dugganusa.com/api/v1/search/correlate?q=spoolsv_protected`

Defensive Recommendations

**For the fake dropper:**

- Block execution of PowerShell scripts that use format-string array variable construction — `("{4}{13}{5}{9}{6}" -f ...)` is a strong behavioral signal

- Monitor for `Expand-Archive` followed immediately by `Start-Process` with `-Verb RunAs` in the same script

- Alert on `spoolsv.exe` or `spoolsv_protected.exe` running from `%TEMP%`

- Treat Discord CDN (`cdn.discordapp.com`) as a payload delivery mechanism, not just a chat app

**For the MFA fatigue toolkit:**

- Enforce number matching on all MFA push notifications (requires user to enter a code from the login screen, defeats fatigue attacks cold)

- Alert on more than 3 MFA push rejections within 60 minutes for a single account

- Treat help desk calls from users who "just got locked out" as elevated-risk identity verification events

- Review Okta/Azure AD logs for authentication spray patterns — low-and-slow requests from rotating IPs at 1-2/second are the signature

The Takeaway

Lapsus$ was teenagers. Scattered Spider is mostly teenagers. The tools aren't exotic. What they have — and what defenders consistently underestimate — is patience, social confidence, and a willingness to call your help desk and pretend to be a distressed employee.

The dropper at `peiceofmind/DEV-0537` is a footnote. The MFA fatigue toolkit at `Uzseclab` is the thing worth watching. It is the technique that took down MGM. It is available on GitHub. It has one star, published January 1, 2026, by an organization with no history.

Somebody is warming up.

*DugganUSA sources government-released data and open-source intelligence. All indicators in this post are derived from publicly accessible GitHub repositories. IOC data available via STIX 2.1 feed. Queries: [analytics.dugganusa.com](https://analytics.dugganusa.com)*