
The Quarry: Inside the PhaaS Operation Behind Hundreds of IRS and SSA Phishing
Indicators of Compromise
APT Groups1
Overview Rockky or Rocky is a financially motivated Threat Actor and developer of hacktools and phishing kits. Campaigns conducted by operators and affiliates using his services have been identified since 2025, although the evidence suggests that he has been active for several years prior. The adversary advertises his products in both private and public Telegram groups, where he advises clients and provides services tailored to their operational needs, primarily focused on phishing campaigns using a wide range of lures to deploy RMM tools. Operators who purchase these tools and services use rotating infrastructure as well as Telegram bots to monitor the status of their victims. In addition, Rockky deploys RMM infrastructure such as ScreenConnect so that each affiliate can manage and control their own campaigns. Campaigns observed include SSA and IRS-themed lures exploiting U.S. tax season, alongside fake document-signing workflows, PDF-themed lures, and similar impersonation scenarios. Key Characteristics Proprietary tool development: RockyBelling actively develops and maintains his own arsenal, explicitly advertised as handmade within his Telegram channels. Updates are frequent and publicly documented. The release of the VBS variant with UAC bypass capabilities in April 2026 included demonstration videos and migration support for existing affiliates. Structured MaaS/PhaaS operation: The actor does not directly operate phishing campaigns but instead provides infrastructure and tooling to a network of approximately 200 affiliates. Each affiliate receives a dedicated ScreenConnect panel, a customized phishing kit, and access to the broader tooling catalog. The actor operates as a service provider rather than as the direct executor of attacks. Evasion by design: The kit integrates multiple layers of evasion within its core architecture, including OS filtering in index.php, commercial cloaking through Adspect, per-victim randomization of URLs and filenames, and automated cleanup of forensic artifacts. Evasion is not an additional feature but a foundational component of the product design. Abuse of legitimate infrastructure: RockyBelling systematically avoids traditional C2 infrastructure. Exfiltration is conducted through the Telegram API, payload staging in VBS-based campaigns relies on GitHub and GitLab, and remote access is achieved through legitimate commercial RMM tools. Malicious traffic is therefore concealed within communications to trusted platforms. Tax-themed lures as an operational vector: The U.S. tax season is the dominant pretext used throughout the majority of documented campaigns. The tax-related theme is maintained even when the impersonated brand is unrelated to government services. RMM installers used in Adobe or Dropbox-themed campaigns still retained names such as TaxOrganizer or StatementID. The tax context is therefore not merely a lure, but part of the operational identity of the campaign ecosystem. Communication channels: RockyBelling operates his sales and support infrastructure through a network of Telegram channels where he publishes demonstration videos, advertises new products, manages affiliates, and documents the functionality of his tooling. Through these channels, he markets products and services ranging from $500 to $3,000, alongside monthly subscription fees of approximately $100
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
How to Defend Against PhaaS and RMM-Based Phishing Attacks
The Quarry succeeds through operational maturity, modular design, evasion depth, and the number of operators running variants of the same toolkit simultaneously. Defending against it requires attention to behaviors and infrastructure patterns rather than waiting for specific file hashes or domains to appear on a blocklist.
Restrict and monitor RMM tools: Maintain an approved list of remote access and monitoring tools permitted in your environment. Unauthorized ScreenConnect, Datto, Tiflux, or FleetDeck installations should generate an alert. Many organizations find that RMM tools are not monitored at the endpoint level.
Alert on Telegram API traffic from endpoints where it is not expected: Because Telegram is used for both victim logging and post-exploitation data exfiltration, unexpected HTTPS POST traffic to api.telegram.org from managed endpoints warrants investigation.
Harden email defenses against government impersonation: Government agencies like the IRS and SSA do not initiate contact by email or send taxpayers executable downloads. Employee awareness training should cover this explicitly. Email security tools should be configured with rules targeting domains that impersonate federal agency patterns.
Enforce application control to restrict unauthorized script execution: VBS execution from user-writable directories, particularly combined with elevated privileges, is not a typical administrative workflow. Policies that restrict VBScript execution by default – or that require signed scripts – would disrupt the VBS delivery chain.
Monitor GitHub and GitLab download traffic: RMM MSI installers pulled from raw GitHub or GitLab content URLs are unusual in legitimate enterprise environments. Endpoint monitoring rules that flag MSI downloads from code hosting platforms, particularly followed by silent install commands, are effective against the VBS delivery method.
Audit public-facing web properties for exposed credentials: The Layer 2 targeting in this campaign focuses on JavaScript files containing hardcoded cloud credentials. A periodic scan of externally facing web properties for embedded API keys and access tokens is a practical mitigation.
Deploy SOCRadar’s Extended Threat Intelligence: SOCRadar’s XTI platform provides continuous monitoring for brand impersonation, domain spoofing, phishing infrastructure, and Dark Web credential exposure – all categories directly relevant to The Quarry’s operation model.