Dark Web Profile: Rock

Most Phishing-as-a-Service operations are run by a faceless brand. Rock is the opposite: a single developer who builds, maintains, and sells an entire phishing and remote access toolkit, then sits in the middle of an ecosystem of up to roughly 200 operators running their own campaigns on top of it.

SOCRadar Threat Research tracks this operation under the name The Quarry, a Malware-as-a-Service (MaaS) and Phishing-as-a-Service (PhaaS) offering that has been active since at least April 2025, with evidence the developer was distributing tooling well before that. This profile previews SOCRadar’s full whitepaper on the operation, scheduled for publication on Monday, June 15, 2026.

The service centers on tax-themed lures impersonating U.S. government agencies, legitimate Remote Monitoring and Management (RMM) software used as the final payload, and Telegram as the command-and-control and victim-logging layer. More than 90% of recorded victims sit in the U.S., and the same kit has been observed driving SSA, IRS, Adobe, Dropbox, DocuSign, and Messenger campaigns across dozens of domains.

Who Is Rock?

Rock is the operational identity of the developer behind The Quarry –ecosystem. The actor goes by several aliases, most commonly RockyBelling, Rockky, and Rock, alongside related personas including Mike and Mike Bestmand. He is primarily active on Telegram, where he runs the “Rocky War Room” channel and advertises a constantly available ScreenConnect service.

Rock is a financially motivated malaligned developer rather than a campaign operator. He builds the tools and infrastructure, sells access to affiliates at different price points, and lets each buyer run their own operations. This separation is important for attribution: the campaigns surface under many different operators and themes, but they all trace back to a single ecosystem maintained by Rock.

Across the analyzed campaigns, the same operational identity surfaces consistently. The aliases used in the actor’s Telegram channels line up with the handles seen on the code-hosting platforms used to stage payloads, and both line up with the naming of the tools in the catalog, including Rocky Gmail Sender and Rock VPS Mailer. Taken together, these overlaps leave little ambiguity that a single developer builds and sells the kit, and that this developer is the persona known as Rock.

Rock states that he personally coded most of the tools in his channel and mentions that an older channel was blocked roughly a year earlier, indirectly confirming that the operation has existed over an extended period. Country of origin remains unknown, although Arabic-language developer comments appear repeatedly across the kit’s CSS and PHP files. At least one prominent affiliate appears to be of Arab origin, a profile distinct from the developer himself.

How Does Rock’s MaaS/PhaaS Model Work?

Rock productized the full attack lifecycle and removed the technical barrier to running phishing and remote access campaigns at scale. Affiliates buy a complete toolkit plus supporting infrastructure, then adapt it to their own targets, events, and operational needs. The developer explicitly offers onboarding support, infrastructure migration help, and ongoing tool updates, and announces new releases with demonstration videos in his channel.

Pricing observed through direct conversations and channel advertisements gives a clear picture of the service tiers:

• Scraper tooling: around $200
• Rocky Gmail Sender mass-mailing tool: around $500
• Self-hosted ScreenConnect panel setup, including a usage guide: around $2,000, with monthly payments of around $100
• Complete setups tailored to a specific client and target set: around $3,000

Rock positions himself against competitors by emphasizing support and close collaboration. In his own words, sending tools and samples is something anyone can do; the value is in drawing up a plan, advising affiliates on their targets, and staying focused with them until results come in. He even posts free tools in the channel, arguing they are useless to operators who lack the guidance to use them.

The model creates significant attribution complexity. Each affiliate can run their own Telegram bot and ScreenConnect panel while impersonating different brands, so two domains that share JARM fingerprints, ASN values, and file structures may belong to the same affiliate or to two different affiliates who received the same kit. Without backend access, Telegram tokens, or Adspect Stream IDs acting as direct links, attribution to a specific operator cannot be made with high confidence.

What Tools Does Rock Sell?

Rock’s catalog spans the entire attack chain, combining custom development advertised as handmade with integration of legitimate third-party software.

Remote access (RMM). The core of the service is remote access throughlegitimate RMM tools reconfigured for malicious use. ScreenConnect is the primary choice because its self-hosted deployment lets Rock provision a dedicated panel per affiliate without relying on managed service provider accounts. More than 40 pivotable ScreenConnect instances have been identified. Tiflux and Datto appear in secondary campaigns, and evidence of FleetDeck was also found. All analyzed RMM payloads were legitimate signed software, used as tools rather than modified malware.

VBS droppers. Announced publicly in April 2026, the Visual Basic Script dropper adds a UAC bypass and a more direct delivery path that does not depend on the PHP infrastructure. Three variants were identified, increasing in sophistication: a Base64 variant, a hex-encoded variant pulling from GitLab, and a PowerShell loader variant implementing AES decryption to resist static analysis.

Phishing kit. A modular PHP kit with customizable lure pages impersonating government agencies and SaaS brands, with Adspect cloaking integrated to filter out researchers, scanners, and sandboxes.

Mass mailing and scraping. Rocky Gmail Sender and Rock VPS Mailer handle bulk delivery with subject randomization, attachment support, and anti-detection features. A Rocky Email Sorter and additional scraping utilities support the pre-phishing stages.

Post-exploitation. PowerShell scripts including a browser history stealer (Chrome and Edge) and a W-2 document finder, both exfiltrating directly to Telegram. A credential harvesting panel likely derived fromEvilginx and repeated references to VioletRAT round out the offering.

What Does a Rock Campaign Look Like?

SOCRadar broke the operation into a pre-launch phase and six execution phases. The most documented chain runs as follows:

1. Scraping and bulk distribution. Operators harvest email addresses and send tax-themed lures impersonating the IRS, SSA, and brands such as Adobe, Microsoft, DocuSign, and Dropbox.
2. Initial filtering. An index.php file checks the visitor User-Agent and serves a harmless page to anything that is not Windows, since the final RMM payload only installs on Windows.
3. Cloaking. Adspect fingerprints the browser and decides in real time whether the visitor is a real victim or a researcher. Bots and analysts are redirected to legitimate destinations such as a Windstream webmail portal, while victims see the lure.
4. The lure. A spoofed portal, most often the SSA, walks the victim through a dashboard, a download button, an operating-system selection gate, a fake loading spinner, and a popup instructing them to run the downloaded “Security Connector.”
5. Payload delivery. A de.php file randomly selects an RMM variant from a /sources/ pool, generates a unique per-victim download URL under /downloads/, notifies the affiliate’s Telegram bot, and delivers the file through a hidden iframe. The VBS path instead self-elevates, downloads the RMM installer and a decoy PDF in parallel, installs silently with /quiet ALLUSERS=2, opens the decoy, and deletes the installer.
6. Exfiltration. The same PHP file sends victim IP, User-Agent, filename, and timestamp to the operator’s Telegram bot in real time.

Below is a high-level workflow of the operation thats illustrated Rock’s modus operandi in 2 campaigns:

Post-exploitation is optional and varies by affiliate, ranging from browser history and W-2 theft to selling corporate access onward. The most likely objectives are direct tax fraud, the sale of corporate access, and Initial Access Broker activity feeding ransomware deployment, the last of which has already been observed in linked incidents.

Victimology

Rock sells the kit rather than running campaigns, the victims below are not chosen by him directly. They reflect the targeting decisions of the operators who buy the service, while the consistent tax themes and tooling trace back to Rock’s ecosystem.

The geographic profile is heavily concentrated. More than 90% of recorded download events correspond to victims in the U.S., consistent with the tax-themed lures impersonating the IRS and SSA. The remaining share, around 5%, spans countries including Egypt, Brazil, Germany, Japan, and Canada, likely U.S. organization employees working abroad, individuals with U.S. tax obligations, or VPN users. Downloads were recorded across 14 countries in total.

The campaign operates across two victim layers. The first is direct RMM victims who executed the payload, many of them employees of organizations in the targeted sectors, turning their access into a potential path for lateral movement. The second layer is organizations actively scanned and scraped for exposed secrets, including AWS access keys recovered from publicly accessible resources. The presence of this second layer shows Rock’s ecosystem conducts active reconnaissance rather than waiting passively for victims to engage.

By sector, the most represented are SaaS and Development (17.4%), Healthcare and Medtech (15.8%), Media and Entertainment (14.7%), Fintech and Finance (11.1%), and E-commerce and Retail (8.6%), followed by Education, Real Estate, Travel, and others. The actor does not discriminate by organization size, sweeping broad ranges of domains for any exposed credential that proves useful.

How SOCRadar Modules Support Ongoing Monitoring and Assessment?

Because The Quarry cybercrime ecosystem rotates infrastructure constantly and distributes the same kit across a large pool of operators, point-in-time blocking is not enough. SOCRadar supports detection and response across the operation’s full footprint:

• Threat Actor Intelligence tracks Rock and the broader ecosystem, surfacing new tooling, pricing changes, VBS releases, and infrastructure shifts as they emerge.
• Advanced Dark Web Monitoring monitors the Telegram channels, bots, and underground activity used to advertise the kit and log victims.
• Attack Surface Management identifies exposed credentials and secrets in public resources, the same Layer 2 exposure the actor scrapes for, helping organizations close those gaps before they are abused.
• Brand Protection detects newly registered lookalike domains combining tax and government terms with action words such as portal, hub, and sync, enabling early takedown of phishing infrastructure.
• Credentials and Data Leak Detection alerts on leaked employee credentials and cloud access keys that could feed the operation’s monetization paths.

Conclusion

Rock illustrates how a single capable developer can multiply impact by turning tradecraft into a product. By packaging a modular phishing kit, self-hosted RMM panels, VBS droppers, mass mailers, and post-exploitation scripts into a supported service, he enables dozens of parallel campaigns that would otherwise be beyond the reach of less technical operators. The deliberate use of legitimate RMM software, public code repositories for hosting, Adspect cloaking, and Telegram for C2 keeps the operation resilient and difficult to block at the network level.

The operation remains active at the time of this assessment, with newly created domains identified through April and May 2026 and continued activity in the actor’s Telegram groups. The number of victims tied to this ecosystem is likely to keep growing. Organizations, particularly in the U.S. and across SaaS, healthcare, media, and finance, should treat tax-themed RMM installation lures as a current and evolving threat, monitor for the indicators below, and watch for unexpected ScreenConnect, Datto, or Tiflux agents appearing on endpoints.

MITRE ATT&CK TTPs

Indicators can be found on the SOCRadar platform.