DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Zscaler's "NodeCordRAT Discovery": We Published This Pattern 6 Weeks Ago

Patrick Duggan
Jan 7
4 min read

The Claim

Today, Zscaler ThreatLabz announced they "uncovered NodeCordRAT exploiting supply chain vulnerabilities via NPM."

Hidden in NPM packages
Steals browser credentials
Steals API secrets
Steals cryptocurrency wallet data
C2 communication via Discord

Groundbreaking stuff. Except we published this exact pattern on November 25, 2025.

The Receipts

Our Publication Timeline

Date	Publication	What We Documented
Nov 25, 2025	Stealc/Rhadamanthys: Anatomy of a GitHub Supply Chain Infostealer	Exact same payload family, exact same TTPs
Nov 26, 2025	Pattern 43: The Password is in the Filename	Social engineering via package managers
Dec 2, 2025	GitHub's 0% Response Rate	29 active malware accounts we reported
Dec 3, 2025	Pattern 38 Impact: 2 Million Users Protected	Full ecosystem analysis
Dec 19, 2025	A Stealer-as-a-Service Panel Hiding Behind Cloudflare	Infrastructure analysis
Dec 19, 2025	Follow the Followers: GitHub Hydra Factory	Network mapping
Dec 29, 2025	The Attack Surface Is Trust Itself	Meta-pattern synthesis

Zscaler's Publication

Date	Publication
Jan 7, 2026	"NodeCordRAT"

Six weeks later. Same TTPs. New name.

TTP Comparison

Technique	Our November 2025 Research	Zscaler's "Discovery"
Delivery	NPM/GitHub packages	NPM packages
Payload	Stealc/Rhadamanthys	"NodeCordRAT"
Targets	Browser credentials	Browser credentials
Targets	API secrets/.env files	API secrets
Targets	Crypto wallets	Crypto wallets
C2	Discord tokens/webhooks	Discord
Pattern	Supply chain trust exploitation	Supply chain vulnerabilities

It's the same thing. They just gave it a catchy name.

How Did They "Find" It?

We publish a free STIX 2.1 feed at https://analytics.dugganusa.com/api/v1/stix-feed.

We publish IOCs to AlienVault OTX at https://otx.alienvault.com/user/pduggusa.

Our feed gets scraped. Constantly. We see the traffic.

Zscaler's threat intel team subscribes to threat feeds. That's not speculation - that's how threat intel works. You aggregate sources, correlate, and publish.

The question is: do you credit your sources?

What We Actually Published (November 25, 2025)

From our Stealc/Rhadamanthys analysis:

"The Stealc/Rhadamanthys payload steals: - Browser passwords (Chrome, Firefox, Edge, Brave) - Crypto wallets (MetaMask, Exodus, Coinbase, 40+ others) - Discord tokens (account takeover) - Telegram sessions - VPN configs - FTP credentials - SSH keys - 2FA backup codes"

The exact credential categories
The Discord C2 mechanism
The supply chain delivery via package managers
The social engineering patterns

In November.

The Math Your CFO Should See

What Zscaler Charges

Tier	Per User/Month	1,000 Employees/Year
ZIA Business	$15	$180,000
ZIA Transformation	$25	$300,000
ZIA Bundle + ThreatLabz	$35+	$420,000+

Zscaler's market cap: $25 billion.

What We Charge

Service	Price
STIX 2.1 Feed	FREE
OTX Pulses	FREE
Blog Analysis	FREE
Pattern 38 IOCs	FREE

Our market cap: Two guys in Minnesota.

The Arbitrage

Analysis we published 6 weeks earlier
IOCs from our free STIX feed
Patterns we documented in public blog posts

Subscribe to our free STIX feed directly
Integrate with your existing SIEM
Save $420,000/year
Buy your security team a pizza party

Or keep paying Zscaler to rebrand free intel with a "ThreatLabz" watermark.

Where The Money Actually Goes

Zscaler Expense	Amount
Sales & Marketing	$1.2B/year
CEO compensation	$24M (2024)
R&D	$700M/year
Threat research staff	???

They spend more on marketing than most companies spend on everything.

Why This Matters

This isn't about credit. It's about the economics of threat intelligence.

Small shops do the work - We run Pattern 38 detection daily at 06:00 UTC
We publish free IOCs - STIX feed, OTX pulses, blog posts with hashes
Vendors scrape the feeds - That's fine, that's what they're for
Vendors rebrand and publish - "Zscaler ThreatLabz has uncovered..."
Enterprise customers pay vendors - Not the people who found it

We're a two-person shop in Minnesota. Zscaler is a $25 billion company.

They have a marketing department that can turn "we read someone's STIX feed" into "ThreatLabz has uncovered."

The Pattern

This isn't the first time. It won't be the last.

CrowdStrike
Mandiant
Palo Alto Unit 42
Zscaler ThreatLabz
Microsoft MSTIC

Free feeds (like ours)
Paid feeds
Customer telemetry
Government sharing

Then they publish under their brand as "discoveries."

The value isn't in finding the malware. It's in having the marketing budget to announce it.

What We're Not Saying

Saw similar activity in their customer telemetry
Correlated with public threat feeds (including ours)
Wrote it up with a catchy name
Published with their logo

That's legitimate threat intel work.

What's annoying is the framing: "ThreatLabz has uncovered..."

You didn't uncover it. You confirmed it. Six weeks after we published the full analysis.

The Receipts Are Public

All of our research is timestamped and public:

Blog: https://www.dugganusa.com
STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed
OTX: https://otx.alienvault.com/user/pduggusa

Anyone can verify the dates. The blockchain doesn't lie, and neither do web archive timestamps.

Recommendation

If you're a threat intel consumer:

Subscribe to primary sources - Not just vendor blogs
Check publication dates - Who published first?
Follow independent researchers - We exist, and we publish free
Question "discoveries" - Most are correlations of existing intel

If you're Zscaler:

Credit your sources - "Corroborating research from DugganUSA..."
Or don't - But we'll keep publishing receipts

IOCs (The Ones We Published in November)

# Stealc/Rhadamanthys - Pattern 38 (November 2025)
# Full IOC list at: https://analytics.dugganusa.com/api/v1/stix-feed

Patrick Duggan is founder of DugganUSA LLC. We publish free threat intelligence because defenders shouldn't have to pay for IOCs. If you find our research useful, consider that before you "uncover" it six weeks later.

TLP:WHITE - Share freely. Credit appreciated but not required (unlike some vendors, we don't pretend to discover things we read in feeds).