DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Weekly Threat Sweep: December 20, 2025

Patrick Duggan
Dec 20, 2025
4 min read

--- title: "Weekly Threat Sweep: 12 New GitHub Malware Repos, 3,802 Fresh IOCs, and a FUD Crypter" slug: weekly-threat-sweep-2025-12-20 date: 2025-12-20 author: Patrick Duggan tags: [threat-intelligence, weekly-sweep, github, threatfox, stix, malware, rat, stealer] category: Threat Intelligence featured: false story_density_target: 120.9 ---

The nets caught fire this week. 12 new GitHub malware repositories, 3,802 fresh IOCs from ThreatFox, and a FUD crypter with process injection that made us sit up straight.

Here's what we found.

GitHub: 12 New Malware Repos in 7 Days

Our Pattern 38+ detection found a fresh crop of malware repositories created between December 13-20, 2025. Zero-follower accounts. Explicit malware names. GitHub's detection missed all of them.

Critical Findings

| Account | Repository | Risk Level | Why It Matters | |---------|------------|------------|----------------| | ASDlikeS | TwinkiePieStealer | CRITICAL | Multi-platform stealer: banking, Telegram, Discord. C# with TypeScript server. | | TheDarkMythos | SheepCrypter | CRITICAL | FUD crypter with SEC_IMAGE sections, custom encryption, ADS payload delivery. | | ysnix4 | GrabberToken | HIGH | Discord token grabber, 0 followers | | kdbthegoat | DISCORD-TOKEN-COOKIE-GRABBER-V3 | HIGH | Zero-follower account, July 2025 creation | | dev-196 | StarStealer | HIGH | Discord webhook exfiltration, 0 followers | | SertraFurr | Discord-Token-Stealer | HIGH | Memory dumper in Zig language | | ergitoergito4-spec | Arrin, Lali | HIGH | Account created same day as repos, explicit "Steal" description | | lupepeksokhekeljink | ARCHIVE-STEALER | HIGH | Created today (Dec 20) | | Thilak05 | RAT | MEDIUM | Telegram bot C2 | | trustnone93 | quickGet_GMpswd | MEDIUM | Credential grabber targeting multiple platforms | | jonas-fernandez-as | malicious-extension-poc | MEDIUM | Browser extension cookie stealer |

The Pattern

• 83% zero-star repositories

• 42% zero-follower accounts

• 3 accounts created within the last month

• Discord remains the primary exfiltration vector

The Standout: SheepCrypter

TheDarkMythos isn't a script kiddie. 216 public repos. 19 followers. Active since 2016. SheepCrypter uses:

• Transient SEC_IMAGE sections for process injection

• Custom crypter implementation

• Alternate Data Streams for payload delivery

• Zero disk traces

This is professional-grade evasion. And it's sitting on GitHub with 2 stars.

ThreatFox: 3,802 IOCs in 7 Days

The abuse.ch feed delivered this week.

Top Malware Families

| Family | IOC Count | Percentage | |--------|-----------|------------| | ClearFake | 1,061 | 27.9% | | Cobalt Strike | 536 | 14.1% | | Unknown | 296 | 7.8% | | Vidar | 202 | 5.3% | | Meterpreter | 200 | 5.3% | | Formbook | 136 | 3.6% | | Quasar RAT | 134 | 3.5% | | AsyncRAT | 123 | 3.2% | | Mirai | 84 | 2.2% | | XWorm | 81 | 2.1% |

Cobalt Strike: Still Everywhere

• 496 IP:Port C2 servers (92.5%)

• 24 file hashes

• 11 domains

• 5 URLs

ThreatFox tracks 119,796 Cobalt Strike IOCs total. It's the infrastructure of choice for both red teams and threat actors.

RAT Proliferation

430 RAT IOCs across 14 distinct families:

Quasar RAT     134
AsyncRAT       123
Unknown RAT     55
ValleyRAT       32
SectopRAT       29
DCRat           29
NjRAT           23
NetSupport RAT  16
Ghost RAT        7
Venom RAT        3
SwaetRAT         3
DarkVision RAT   2
XenoRAT          1
Nanocore RAT     1
GobRAT           1

Platform Abuse

No GitHub-hosted payloads in ThreatFox this week. Instead, threat actors are using:

| Platform | Malware | IOC | |----------|---------|-----| | Telegram | Vidar | telegram.me/gal17d | | Telegram Bot API | Agent Tesla | api.telegram.org/bot8393528187:... | | Telegram Bot API | Agent Tesla | api.telegram.org/bot8194658562:... | | Discord CDN | Loader | cdn.discordapp.com/.../pctool.exe | | Discord CDN | Loader | cdn.discordapp.com/.../pctool.exe | | Pastebin | DCRat | pastebin.com/raw/281M3qnx |

Discord and Telegram remain the exfiltration and C2 platforms of choice.

Our STIX Feed: 162K+ IOCs

Current platform stats:

| Metric | Value | |--------|-------| | Total IOCs | 162,384 | | Database Size | 4.70 GB | | PreCog Detections | 1,026 | | ThreatFox Sourced | 3,068 | | Automated Decisions | 135,224 |

Top Malware Families in Our Feed

| Family | IOC Count | |--------|-----------| | StealC | 1,115 | | Cobalt Strike | 1,021 | | ClearFake | 1,015 | | Vidar | 1,011 | | AsyncRAT | 1,009 | | Remcos | 895 | | XWorm | 602 | | Lumma | 156 |

Recent Detections

• `picketwarp.ru`

• `fl-0-wlatch.ru`

• `quartzmug.ru`

All marked as malware distribution.

The Numbers

| Source | This Week | Total | |--------|-----------|-------| | GitHub new repos | 12 | 25+ tracked | | ThreatFox IOCs | 3,802 | 119K+ CS alone | | Our STIX feed | 162,384 | Growing | | PreCog detections | 1,026 | Unique finds |

What This Means

1. GitHub detection remains broken. 12 new malware repos in 7 days, zero automated action. We filed a bounty.

2. Stealers dominate. StealC, Vidar, Lumma - information theft is the business model.

3. Platform abuse continues. Discord and Telegram are the new C2 infrastructure. Traditional network filtering doesn't work.

4. Cobalt Strike is everywhere. 536 new IOCs per week. The line between red team and threat actor is invisible.

5. FUD crypters are sophisticated. SheepCrypter shows professional evasion techniques on a public platform.

Get the Data

# Search our threat intel
curl "https://analytics.dugganusa.com/api/v1/search?q=AsyncRAT"

Free. Open. Because hoarding threat intel while malware proliferates is morally indefensible.

*Weekly sweep by DugganUSA LLC - Minnesota* *"The nets caught fire this week."*

• [GitHub RAT Farm Bounty Submission](/post/github-rat-farm-detection-bypass-bounty)

• [Pattern 38: Sleeper Account Detection](/post/pattern-38-sleeper-accounts)

• GitHub hunt: Pattern 38+ automated detection

• ThreatFox: abuse.ch API (authenticated)

• STIX feed: analytics.dugganusa.com/api/v1/stix-feed

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]