Listen to this Post
Introduction:
What appears to be a wave of disconnected phishing incidents—some impersonating the IRS, others mimicking the Social Security Administration or DocuSign—can be traced back to a single developer selling a Phishing-as-a-Service (PhaaS) toolkit to nearly 200 criminal operators. Dubbed “The Quarry” by SOCRadar’s threat research team, this cybercrime ecosystem has been operating since at least April 2025 and remains active at the time of publication. The operation represents a fundamental shift in the cybercrime landscape: phishing is no longer just about fake login pages but has evolved into an industrialized access-delivery business that combines social engineering, traffic cloaking, affiliate operations, legitimate remote access tools, and post-exploitation automation.
Learning Objectives:
- Understand the architecture and attack chain of the Quarry PhaaS/MaaS operation, including its use of legitimate RMM tools for evasion
- Identify the technical indicators of compromise (IoCs) and infrastructure patterns associated with Quarry campaigns
- Implement defensive measures, including application control policies, network filtering rules, and endpoint monitoring strategies to detect and block Quarry-related activity
1. Understanding The Quarry’s Industrialized Cybercrime Model
The Quarry is not a single threat actor running one campaign—it is a managed service where one developer provides a toolkit and infrastructure that many affiliates can use to run their own independent campaigns. The developer behind the operation operates under the alias RockyBelling (also known as Rock, Rockky, and Mike) and runs a criminal service marketplace from a Telegram channel called “Rocky War Room,” which had 194 subscribers at the time of analysis. His profile bio reads “Anything Cyber!!!! Screenconnect always available,” which summarizes the service offering concisely.
Operators who purchase the service receive a comprehensive attack package that includes phishing kits, cloaking infrastructure, self-hosted remote access panels, bulk email tools, and post-exploitation scripts. Entry-level tools start at approximately $500, while a fully provisioned remote access setup costs around $2,000 with a monthly maintenance fee. The operation adapts its lure themes to current events, with US tax season being the most heavily exploited window, but it runs year-round.
Step-by-Step Guide: Investigating PhaaS Infrastructure
To identify and track PhaaS operations like The Quarry, security teams should implement the following investigative workflow:
- Domain Discovery and Correlation: Use passive DNS and certificate transparency logs to identify clusters of domains sharing similar registration patterns, SSL certificates, or hosting infrastructure. The Quarry was found to operate across 80+ domains.
-
Telegram Channel Monitoring: Monitor public and private Telegram channels for mentions of phishing kits, RMM tools, and credential harvesting services. Use tools like Telegram’s API with Python to automate collection:
Python script to monitor Telegram channels for threat actor activity
from telethon import TelegramClient
import asyncio
api_id = 'YOUR_API_ID'
api_hash = 'YOUR_API_HASH'
channel_username = 'rocky_war_room' Example channel
client = TelegramClient('session', api_id, api_hash)
async def main():
await client.start()
channel = await client.get_entity(channel_username)
async for message in client.iter_messages(channel, limit=100):
if 'ScreenConnect' in message.text or 'phishing' in message.text:
print(f"[{message.date}] {message.text}")
asyncio.run(main())
- Infrastructure Mapping: Leverage threat intelligence platforms (MISP, VirusTotal, ThreatConnect) to correlate IP addresses, domains, and file hashes. The Quarry’s infrastructure included 40+ ScreenConnect panels and 500+ distinct victim IP addresses across 14 countries.
-
The Attack Chain: From Phishing Email to Remote Access
The Quarry executes a multi-phased attack chain that aggressively filters out security scanners and researchers. Understanding each phase is critical for defenders.
Phase 1: Initial Lure and Delivery
The attack begins with a bulk email designed to look like an IRS refund notice, an SSA tax filing confirmation, or a document shared through a trusted platform like DocuSign, Adobe, Microsoft, or Dropbox. Tax-themed lures are the most prevalent, but the operation pivots across pretexts year-round. The emails warn recipients of a tax filing issue, a benefit requiring action, or an urgent document requiring signature—lures designed to prompt immediate clicking without scrutiny.
Phase 2: Traffic Cloaking and Victim Filtering
When a victim clicks the malicious link, the server immediately checks the browser’s user agent. It redirects non-Windows devices to harmless error pages, ensuring only viable desktop targets reach the final payload staging area. A second layer uses Adspect, a traffic cloaking service, to fingerprint the browser and block researchers, automated scanners, sandboxes, virtual graphics cards, and security crawlers. Only real victims ever see the phishing page.
Phase 3: Payload Delivery
The phishing page replicates the Social Security Administration portal (or other trusted platforms) with convincing detail, including official seals and familiar layout sections. Victims are told to download a “Security Connector” to access their statement, while the real payload—a ScreenConnect MSI installer—downloads silently through a hidden webpage frame. In April 2026, the developer released a VBS dropper sent by email that installs ScreenConnect silently while opening a decoy PDF to distract the victim.
Phase 4: Remote Access and Post-Exploitation
Once ScreenConnect is installed, the operator receives victim notifications in real time through dedicated Telegram bots. The attacker gains a persistent remote desktop session to the victim’s machine for credential theft, banking session hijacking, and—in enterprise victim cases—lateral movement into corporate networks.
Step-by-Step Guide: Detecting ScreenConnect Abuse
Security teams should implement the following detection measures:
Windows Detection (PowerShell):
Detect unauthorized ScreenConnect installations
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "ScreenConnect" }
Check for ScreenConnect services
Get-Service | Where-Object { $<em>.DisplayName -like "ScreenConnect" -or $</em>.Name -like "ScreenConnect" }
Audit scheduled tasks for persistence
Get-ScheduledTask | Where-Object { $<em>.TaskName -like "ScreenConnect" -or $</em>.Actions.Execute -like "ScreenConnect" }
Monitor for silent MSI installations from temp directories
Get-WinEvent -LogName "Application" | Where-Object { $<em>.ProviderName -eq "MsiInstaller" -and $</em>.Message -like "temp" -and $_.Message -like "ScreenConnect" }
Linux Detection (Bash):
Check for ScreenConnect processes ps aux | grep -i screenconnect Check for ScreenConnect files in common locations find / -1ame "ScreenConnect" -type f 2>/dev/null Audit network connections to known ScreenConnect panels netstat -tunap | grep -E "8040|8041" Default ScreenConnect ports Check for suspicious VBS or PowerShell execution in user directories find /home -1ame ".vbs" -o -1ame ".ps1" 2>/dev/null
3. The Weaponization of Legitimate RMM Tools
What makes The Quarry especially dangerous is its use of legitimate remote monitoring and management (RMM) software as the final payload. ConnectWise ScreenConnect is a legitimate enterprise remote support tool used by IT departments globally. Antivirus software, endpoint detection and response platforms, and enterprise security tools that maintain allowlists for legitimate remote access tools will not flag ConnectWise ScreenConnect as malware—it is not malware.
When The Quarry’s subscribers install it on a victim’s device through a phishing chain, the victim’s computer becomes a managed endpoint in the attacker’s remote access fleet. Security tools that would detect and block traditional remote access trojans have no mechanism to distinguish a ConnectWise ScreenConnect installation authorized by an IT department from one installed by a threat actor through a phishing chain.
Step-by-Step Guide: Implementing RMM Allowlisting and Monitoring
- Create an Approved RMM Inventory: Maintain a comprehensive list of authorized RMM tools used by your IT department. Document the specific versions, installation paths, and expected behaviors.
2. Implement Application Control Policies:
Windows: Use AppLocker to restrict unauthorized executables Create a rule to block ScreenConnect installations from user-writable directories Example policy using PowerShell: $RulePath = "C:\ProgramData\Microsoft\Windows\AppLocker" $Policy = @" <RuleCollection Type="Exe" EnforcementMode="Enabled"> <FilePathRule Id="BlockScreenConnect" User="Everyone" Action="Deny"> <Conditions> <FilePathCondition Path="%USERPROFILE%\\ScreenConnect.exe"/> <FilePathCondition Path="%TEMP%\\ScreenConnect.msi"/> </Conditions> </FilePathRule> </RuleCollection> "@ $Policy | Out-File "$RulePath\AppLockerPolicy.xml"
3. Monitor for Unauthorized RMM Installations:
Linux: Audit for unauthorized remote access tools
Create a monitoring script
!/bin/bash
KNOWN_RMM=("screenconnect" "anydesk" "teamviewer" "logmein" "splashtop")
for rmm in "${KNOWN_RMM[@]}"; do
if pgrep -f "$rmm" > /dev/null; then
echo "ALERT: $rmm process detected at $(date)" >> /var/log/rmm_monitor.log
Send alert to SIEM
logger "Unauthorized RMM detected: $rmm"
fi
done
- Implement Endpoint Detection Rules: Configure EDR tools to alert on:
– ScreenConnect MSI installations executing from temporary directories with hidden command-line parameters
– Visual Basic Script execution from user-writable directories
– PowerShell scripts that forcibly close browsers to unlock browser history databases
4. Post-Exploitation Tools and Data Exfiltration
Once ScreenConnect is installed, operators can deploy a suite of post-exploitation tools designed to extract valuable data. The developer’s Telegram channel promotes multiple capabilities:
Browser History Extraction: One PowerShell script pulls six months of browser history after forcibly closing the browser to unlock its database, sending the extracted data to the operator through Telegram.
W-2 Document Discovery: A second script scans the victim’s files for W-2 tax documents, targeting Social Security numbers, employer records, and salary information.
Credential and Cookie Theft: The developer’s Telegram channel also promotes VioletRAT, a tool with credential dumping and cookie theft capabilities. AWS access keys have been found in campaign logs, harvested from public-facing JavaScript files belonging to targeted organizations.
Step-by-Step Guide: Monitoring for Post-Exploitation Activity
Windows Event Log Monitoring:
Monitor for PowerShell script execution with suspicious parameters
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object { $<em>.Id -eq 4104 -and $</em>.Message -match "DownloadString|Invoke-Expression|WebClient" } |
Select-Object TimeCreated, Message
Monitor for browser database access attempts
Chrome history database: %LOCALAPPDATA%\Google\Chrome\User Data\Default\History
Firefox: %APPDATA%\Mozilla\Firefox\Profiles.default-release\places.sqlite
Audit for file access to W-2 or tax documents
Get-WinEvent -LogName "Security" |
Where-Object { $<em>.Id -eq 4663 -and $</em>.Message -match "W-2|tax|ssn|social" } |
Select-Object TimeCreated, Message
Network Monitoring (Snort/Suricata Rules):
Detect Telegram API exfiltration (common C2 channel for The Quarry) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Possible Telegram C2 Exfiltration"; content:"api.telegram.org"; http_host; content:"sendMessage"; http_uri; content:"chat_id"; http_client_body; classtype:trojan-activity; sid:1000001;) Detect ScreenConnect panel communication alert tcp $HOME_NET any -> $EXTERNAL_NET 8040 (msg:"ScreenConnect Panel Connection"; content:"ScreenConnect"; depth:100; classtype:bad-unknown; sid:1000002;)
Linux File Integrity Monitoring (AIDE):
Initialize AIDE database for baseline aide --init Check for unauthorized modifications to browser databases aide --check | grep -E "History|places.sqlite|cookies.sqlite" Monitor for suspicious file creation in user directories inotifywait -m -r -e create -e modify /home// --format '%w%f' | while read FILE; do if [[ $FILE =~ .(vbs|ps1|js)$ ]]; then echo "ALERT: Suspicious script created: $FILE" | logger -t file_monitor fi done
5. Defensive Strategies and Mitigation
Defending against The Quarry requires organizations to look beyond traditional file hashes and focus on behavioral anomalies. The toolkit’s modular design and use of legitimate RMM software make standard signature-based detection highly ineffective.
Comprehensive Defense-in-Depth Strategy:
1. Network-Level Controls:
- Block web traffic to newly registered domains that combine fiscal terms like “tax” or “ssa” with action words like “portal” or “sync”
- Implement DNS filtering to block known malicious domains
- Monitor for connections to ScreenConnect panels on ports 8040 and 8041
2. Endpoint-Level Controls:
- Enforce strict application control policies to restrict unauthorized Visual Basic Script execution from user-writable directories
- Maintain an approved list of RMM tools and trigger immediate alerts for unauthorized ScreenConnect or Datto installations
- Monitor endpoint logs for silent MSI installations that execute from temporary directories using hidden command-line parameters
3. Cloud and Web Application Security:
- Audit external-facing web properties to ensure threat actors cannot scrape exposed cloud credentials or API keys that fuel these targeted campaigns
- Implement Web Application Firewall (WAF) rules to block known phishing patterns
4. User Awareness and Training:
- Educate users about tax-themed phishing lures and the “Security Connector” download tactic
- Implement simulated phishing exercises that mimic The Quarry’s tactics to test user readiness
Step-by-Step Guide: Implementing The Quarry-Specific Defenses
Windows Group Policy for Application Control:
Block ScreenConnect installation from user directories Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules Create Deny rule for: - %USERPROFILE%\ScreenConnect.exe - %TEMP%\ScreenConnect.msi - %APPDATA%\ScreenConnect.exe Block VBS execution from user-writable directories Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Script Rules Create Deny rule for: - %USERPROFILE%.vbs - %TEMP%.vbs
SIEM Detection Queries (Splunk/ELK):
Detect ScreenConnect installations from temp directories index=windows source="WinEventLog:Application" EventCode=1033 | search Message="ScreenConnect" AND Message="temp" | stats count by host, user, Message Detect PowerShell browser history extraction index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 | search ScriptBlockText="History" OR ScriptBlockText="WebClient" OR ScriptBlockText="DownloadString" | table _time, host, user, ScriptBlockText Detect Telegram C2 communications index=network firewall | search dest_ip=149.154.167. OR dest_domain=.telegram.org | stats count by src_ip, dest_ip, dest_domain
Linux iptables Rules for Network Filtering:
Block outbound connections to known ScreenConnect panel ports iptables -A OUTPUT -p tcp --dport 8040 -j LOG --log-prefix "BLOCKED_SCREENCONNECT: " iptables -A OUTPUT -p tcp --dport 8041 -j LOG --log-prefix "BLOCKED_SCREENCONNECT: " iptables -A OUTPUT -p tcp --dport 8040 -j DROP iptables -A OUTPUT -p tcp --dport 8041 -j DROP Block Telegram API exfiltration (if not business-required) iptables -A OUTPUT -d 149.154.167.0/24 -j LOG --log-prefix "BLOCKED_TELEGRAM: " iptables -A OUTPUT -d 149.154.167.0/24 -j DROP
What Undercode Say:
- The Quarry represents a fundamental shift in cybercrime economics: By industrializing phishing as a managed service, a single developer has enabled nearly 200 affiliates to launch sophisticated, evasive campaigns with minimal technical skill. This dramatically lowers the barrier to entry and scales the threat landscape exponentially.
-
The weaponization of legitimate tools is the most dangerous trend: ConnectWise ScreenConnect is trusted by security tools, making it invisible to traditional defenses. This trend of “living off the land” and abusing legitimate software will only accelerate, requiring organizations to shift from signature-based detection to behavioral and contextual analysis.
-
The supply chain of cybercrime is becoming increasingly professionalized: With tiered subscription models, dedicated support channels, onboarding assistance, and regular product updates, The Quarry operates with the sophistication of a legitimate SaaS company. This professionalization means threat actors can focus on execution while the developer handles innovation and infrastructure maintenance.
The Quarry’s use of Telegram for C2 communications, real-time victim notifications, and customer support demonstrates how legitimate platforms are co-opted for criminal purposes. The operation already shows signs of growing downstream risk, with stolen credentials potentially being sold to ransomware groups through Initial Access Broker activity. Organizations must treat phishing not as a nuisance but as an access-delivery business that can lead to full-scale ransomware incidents and data breaches.
Prediction:
- +1 The industrialization of phishing through PaaS platforms like The Quarry will accelerate, with more developers entering the market and creating specialized toolkits for different sectors, geographies, and attack vectors. This will drive down costs and increase the volume and sophistication of attacks.
-
-1 The weaponization of legitimate RMM tools will become the default tactic for sophisticated threat actors, rendering traditional antivirus and allowlist-based security controls obsolete. Organizations that fail to implement behavioral monitoring and strict application control policies will face increasing compromise rates.
-
-1 The Quarry’s success in evading detection through traffic cloaking and user-agent filtering will inspire copycat operations, making it increasingly difficult for security researchers and automated scanners to identify and disrupt phishing campaigns before they reach victims.
-
+1 Increased awareness of PaaS operations like The Quarry will drive investment in advanced threat intelligence, behavioral analytics, and automated incident response capabilities. Security vendors will develop specialized detection rules for RMM abuse and Telegram-based C2 communications.
-
-1 The potential resale of stolen credentials and access to ransomware groups through Initial Access Brokers will create a more dangerous threat landscape where phishing leads directly to ransomware deployment, data encryption, and extortion.
-
+1 Regulatory bodies and law enforcement agencies will increase focus on disrupting PaaS operations, potentially leading to takedowns of major platforms and arrests of key developers like RockyBelling. However, the decentralized affiliate model makes complete eradication unlikely.
-
-1 The Quarry’s operation remaining active at the time of publication suggests that current defensive measures are insufficient. Organizations must assume compromise and implement zero-trust architectures, privileged access management, and robust incident response plans to minimize impact.
▶️ Related Video (80% Match):
https://www.youtube.com/watch?v=7V-RuoGY_fk
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Flavioqueiroz Thequarry – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
