DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Your GPU Is Your Attack Surface. Rowhammer Just Proved It.

Patrick Duggan
Apr 3
5 min read

Two research teams dropped papers yesterday showing that NVIDIA GPUs are vulnerable to Rowhammer attacks. Not theoretical. Not in a lab. Hundreds to thousands of bit flips on production hardware — RTX 3060, RTX A6000 — giving the attacker full control of the host machine through the GPU's memory.

The GPU that trains your AI model. The GPU that renders your cloud workload. The GPU that powers the inference engine your customers depend on. It's an attack surface. It always was. Now there's proof.

How It Works

Rowhammer is a hardware vulnerability. You repeatedly access the same row of memory — "hammer" it — and the electrical interference causes bits to flip in adjacent rows. A 0 becomes a 1. A 1 becomes a 0. The memory corrupts.

CPU Rowhammer has been known since 2014. Mitigations exist — ECC memory, Target Row Refresh (TRR), address scrambling. The industry spent a decade hardening CPU DRAM against it.

Nobody hardened the GPU.

GDDRHammer and GeForge — the two papers released yesterday — extend Rowhammer into GPU GDDR6 memory. The attack chain:

Hammer GPU memory rows — repeatedly access the same GDDR6 addresses through compute shaders
Bit flips accumulate — hundreds to thousands per session on Ampere-architecture cards
GPU page tables corrupt — the maps that tell the GPU what memory it can access get rewritten by the flipped bits
GPU accesses CPU memory — the corrupted page tables redirect GPU DMA into host system memory
Full machine compromise — the GPU becomes an uncontrolled DMA engine with access to everything

The GPU doesn't need to be "hacked" in the traditional sense. The physics of the memory does the work. The attacker just needs to run a compute workload that hammers the right rows.

What's Vulnerable

Hardware	Architecture	GDDR	Vulnerable	ECC
RTX 3060	Ampere	GDDR6	Yes	No
RTX A6000	Ampere	GDDR6	Yes	Optional
RTX 4090	Ada Lovelace	GDDR6X	Likely	No
A100	Ampere	HBM2e	Research needed	Yes
H100	Hopper	HBM3	Research needed	Yes
RTX 5090	Blackwell	GDDR7	Mitigated	On-die ECC

The Ampere architecture is confirmed vulnerable. That's the current workhorse of every AI training cluster, every cloud GPU instance, and every research lab on earth. The RTX 3060 is the most popular GPU on Steam. The A6000 is the enterprise standard.

NVIDIA says GDDR7 (GeForce RTX 50 series) implements on-die ECC that "indirectly helps protect." Translation: the new cards might be safe. Everything deployed today is not.

Why This Matters

Cloud GPU Instances

AWS, Azure, and GCP offer GPU instances where multiple tenants share physical GPU hardware through virtualization (MIG on A100/H100, or time-sharing on consumer-grade cards). If Tenant A can hammer GPU memory and flip bits in page tables, Tenant A can potentially:

Read Tenant B's model weights
Corrupt Tenant B's training data
Escape the GPU sandbox into host memory
Access the hypervisor

Multi-tenant GPU is the foundation of cloud AI. Rowhammer makes it a shared attack surface.

AI Model Integrity

GPUHammer — a variant published in July 2025 — already demonstrated that Rowhammer bit flips can degrade AI model accuracy during training. Flip the right bits in the right weight matrices and the model learns wrong. The training looks normal. The loss curves look normal. The model just produces subtly incorrect results.

For a medical imaging model: wrong diagnosis. For a financial model: wrong risk assessment. For a military targeting model: wrong coordinates.

The model was never "hacked." The physics of the memory did the work. No logs. No alerts. No indicators of compromise.

The IRGC Connection

NVIDIA is on the IRGC's 18-company target list. NVIDIA GPUs power the military AI systems, satellite imagery analysis, and signals intelligence that the US and Israel are using against Iran right now.

If an adversary can Rowhammer a GPU in a military AI pipeline — not over the network, but through a co-located workload on the same physical hardware — they can corrupt the model that's making targeting decisions. No firewall stops a physics exploit in shared memory.

The Stryker attack used Microsoft Intune to wipe devices. The Cisco FMC attack used Java deserialization for root access. The GPU Rowhammer attack uses electromagnetic interference in memory cells to compromise the host. Each one exploits trust — the trust that your management tool, your security console, your GPU memory is safe.

The Pattern

This week's thesis, one more time:

Day	Your Tool	What Happened
Monday	CrowdStrike Falcon	Bricked 8.5M machines (2024)
Monday	Microsoft Intune	Handala wiped 200K Stryker devices
Monday	Aqua Trivy	Credential stealer in CI/CD scanner
Tuesday	Cisco FMC	CVSS 10.0, root via firewall management
Wednesday	LinkedIn	6,222 browser extensions scanned without consent
Wednesday	FBI wiretap network	Salt Typhoon inside since February
Thursday	NVIDIA GPU	Rowhammer gives full machine control through memory physics

The management console. The security scanner. The social network. The surveillance system. The graphics card.

Every layer of the stack that you trust is a layer that can be weaponized. The GPU was supposed to be the dumb compute engine — just matrix math, nothing dangerous. Except the matrix math can flip bits in the memory that controls what the GPU can access, and the GPU has DMA to your entire system.

Trust and access. All the way down to the physics.

Mitigations

Enable IOMMU in BIOS. This prevents the GPU from accessing restricted host memory even if page tables are corrupted. Performance cost: 5-15% on GPU-intensive workloads. Most cloud providers don't enable it by default because customers complain about the performance hit.

Enable ECC on GPUs that support it (A6000 optional ECC, A100/H100 HBM ECC). Consumer GPUs (RTX 3060, 4090) don't have ECC. There is no mitigation for consumer hardware.

Isolate GPU tenants on separate physical hardware. Defeats the multi-tenant attack vector but destroys the economics of cloud GPU. Nobody will do this voluntarily.

Upgrade to GDDR7 (RTX 50 series) when available. On-die ECC addresses the root cause. But the installed base of Ampere GPUs won't be replaced for years.

Monitor for Rowhammer signatures — unusual GPU memory access patterns (repeated reads to the same addresses, compute shaders that don't produce useful output). Nobody has built this monitoring yet.

The Research

The papers are at gddr.fail — credit to both research teams for responsible disclosure and a memorable domain.

No CVE assigned yet. No evidence of in-the-wild exploitation. But the proofs-of-concept are published, the hardware is everywhere, and the mitigations have performance costs that production environments won't accept.

The physics was always there. Now someone wrote the exploit.

This is the seventh "your trusted tool is your attack surface" story this week. Monday was endpoint agents. Tuesday was supply chains. Wednesday was management consoles and social networks. Thursday is the GPU itself — the silicon that powers every AI model, every cloud workload, every game, every render.

Trust and access. All the way down to the electrons.

Research: gddr.fail | GDDRHammer + GeForge (April 2, 2026)