Threat Intel & Field Notes
Coverage that doesn't reduce to a single vendor advisory: infostealer and RAT write-ups, threat-actor campaigns and infrastructure takedowns, tooling roundups, and industry analysis on where security practice is falling behind.

Windows Device ID trail led FBI to Scattered Spider suspect
A newly unsealed federal complaint says a Microsoft-recorded device ID tied the account behind a Scattered Spider intrusion to 19-year-old Peter Stokes.

Accenture Confirms Breach; Attacker Claims 35 GB Stolen
Accenture confirmed a security incident. A threat actor is advertising 35 GB of alleged source code for sale. The volume claim is unverified — treat accordingly.

DragonReturn Drops DcRAT on Indian Taxpayers
Seqrite Labs attributes an ongoing spear-phishing campaign against Indian tax filers to a suspected China-nexus actor with infrastructure and tactical overlap to Silver Fox. First observed May 18.

QuimaRAT: A $150 Cross-Platform Java RAT MaaS
LevelBlue profiled a new cross-platform Java RAT sold as MaaS. No confirmed campaigns yet — but the price is low, the payload runs everywhere, and the loader is built to walk past SmartScreen. Assume it lands somewhere soon.

Flipper Zero Firmware Goes Maintenance-Only
Flipper Devices says the Flipper Zero firmware is stable at 1.0 and full-time feature work is over. Community PRs run the future, filtered through GitHub Discussions voting and stricter review. Here's what changes.

Metasploit's July 3 Drop: SMB-to-Meterpreter, Peyara
Rapid7 shipped an SMB-to-Meterpreter session upgrade and a Peyara Remote Mouse RCE module this week. Neither is novel research. Both change what your alerts will look like. Here's the tune.

IGA Was Built Around Employment Records, Not Agents
A contributed piece to The Hacker News from Orchid Security lays out where the joiner-mover-leaver model quietly fails for AI agents. Vendor-adjacent, but the gap analysis holds.

Talos on Curiosity: A Skill That Doesn't Scale
William Largent's Threat Source column this week reads as an essay on board games and pattern recognition. It's really an argument about the load-bearing skill that keeps a defender from becoming a checklist.

PamStealer: A Fake Maccy Site Steals macOS Creds
Jamf Threat Labs disclosed a new macOS credential stealer today that impersonates the Maccy clipboard app, validates the victim's login password against PAM in real time, and exfiltrates keychain and browser data. Apple Silicon only. Here's what defenders should do.

FBI Seizes NetNut Proxy, Google Degrades Popa Botnet
The FBI seized hundreds of NetNut proxy domains on July 2; Google's Threat Intelligence Group, working with FBI and Lumen, cut the linked Popa botnet's usable device pool by millions the same day.