
The Quarry: Inside the PhaaS Operation Behind Hundreds of IRS and SSA Phishing
The Quarry is an active Malware-as-a-Service (MaaS) and Phishing-as-a-Service (PhaaS) operation, active since at least April 2025, built and sold by a single developer known as RockyBelling (also Rockky, Rock, and Mike) to nearly 200 affiliates.
Indicators of Compromise
Domains (15)
mytax-organizerbff8ffb1-46c6-4de6-be12-9db01b9719a7.ccc-food.comtrusttaxportal.comverify.federal-docviewer.comhub.ssa-userstatus.comsecure.login-socialsecurity.comapps.docu-sign.netestatetaxrecords.comestatetaxarchives.comportal.federalverify-ssaclientportal.commytax-organizer.noisetteroseproductions.comhub.ssa-guidance.commytax-extensionorganizer.armpakenergy.comsecure.ssa-documentsync.cominherittaxpapers.sitetax-filecenter-irs.matthewtarwater.comHashes (7)
2163afa18a3cdfa525b767e0e1baaba100b69eb7f44b5987f68667343aaafb6a01ab231bcd9533f90e99651521b6e1bb935413b08ef60cd819b2e1b573fc90501827aa636cd86d1a4064e112aa1973038974830446d35e234881696092aded87ef970697c5094c443f0456774cfee9bcAPT Groups
Rockky
Notes
<h2 style="box-sizing: border-box; font-size: 24px; font-weight: 700; margin-right: 0px; margin-left: 0px; border-style: none; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-variant-position: inherit; font-stretch: inherit; line-height: 1.3em; font-family: " font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; padding: 0px; vertical-align: baseline; color: rgb(27, 27, 60); transition-duration: 0.35s; word-break: break-word; letter-spacing: normal; outline: transparent solid 2px !important; outline-offset: 2px !important; margin-top: 0px !important; margin-bottom: 2rem !important;">Conclusion</h2><p style="box-sizing: border-box; border-style: none; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-variant-position: inherit; font-stretch: inherit; font-size: 18px; line-height: 1.556em; font-family: Inter, sans-serif; font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; padding: 0px; vertical-align: baseline; color: rgb(10, 11, 30); transition-duration: 0.35s; word-break: break-word; outline: transparent solid 2px !important; outline-offset: 2px !important; margin-bottom: 2rem !important;">The Quarry is what phishing looks like when it becomes a managed service. The developer built a platform – one that handles cloaking, delivery, payload staging, Telegram-based reporting, and post-exploitation tooling, then sold access to it at a price point that made it accessible to operators who would not have been capable of building any of it independently.</p><p style="box-sizing: border-box; border-style: none; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-variant-position: inherit; font-stretch: inherit; font-size: 18px; line-height: 1.556em; font-family: Inter, sans-serif; font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; padding: 0px; vertical-align: baseline; color: rgb(10, 11, 30); transition-duration: 0.35s; word-break: break-word; outline: transparent solid 2px !important; outline-offset: 2px !important; margin-bottom: 2rem !important;">The result is a distributed, modular, persistent PhaaS operation that is difficult to attribute in any individual incident and difficult to disrupt by targeting any single component. The developer rotates infrastructure, issues updates, and onboards new affiliates. The attack surface scales with the number of active operators.</p><p style="box-sizing: border-box; border-style: none; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-variant-position: inherit; font-stretch: inherit; font-size: 18px; line-height: 1.556em; font-family: Inter, sans-serif; font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; padding: 0px; vertical-align: baseline; color: rgb(10, 11, 30); transition-duration: 0.35s; word-break: break-word; outline: transparent solid 2px !important; outline-offset: 2px !important; margin-bottom: 2rem !important;">The operation remains active at the time of publication. New domains were registered in April and May 2026. Rocky War Room continues to post updates.</p><p style="box-sizing: border-box; border-style: none; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-variant-position: inherit; font-stretch: inherit; font-size: 18px; line-height: 1.556em; font-family: Inter, sans-serif; font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; padding: 0px; vertical-align: baseline; color: rgb(10, 11, 30); transition-duration: 0.35s; word-break: break-word; outline: transparent solid 2px !important; outline-offset: 2px !important; margin-bottom: 2rem !important;">The full whitepaper – including the complete MITRE ATT&CK TTP table, backend code analysis, infrastructure maps, and extended IoC list – is available for download below. SOCRadar customers can access the full threat actor profile and indicator feed directly on the platform.<br><br><span style="box-sizing: border-box; font-weight: 700; border-style: none; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-variant-position: inherit; font-stretch: inherit; line-height: inherit; font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; margin: 0px; padding: 0px; vertical-align: baseline; transition-duration: 0.35s; word-break: break-word; outline: transparent solid 2px !important; outline-offset: 2px !important;">[</span><a href="https://socradar.io/resources/whitepapers/following-the-trail-the-quarry-threat-research-report/" style="box-sizing: border-box; color: rgb(255, 69, 98); border-style: none; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-variant-position: inherit; font-stretch: inherit; line-height: inherit; font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; margin: 0px; padding: 0px; vertical-align: baseline; transition-duration: 0.35s; word-break: break-word; outline: transparent solid 2px !important; outline-offset: 2px !important;"><span style="box-sizing: border-box; outline: transparent solid 2px !important; outline-offset: 2px !important; font-weight: 700; border-style: none; font-style: inherit; font-variant: inherit; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; margin: 0px; padding: 0px; vertical-align: baseline; color: inherit; transition-duration: 0.35s; word-break: break-word;">Download the full whitepaper: The Quarry</span></a><span style="box-sizing: border-box; font-weight: 700; border-style: none; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-variant-position: inherit; font-stretch: inherit; line-height: inherit; font-size-adjust: inherit; font-kerning: inherit; font-feature-settings: inherit; font-language-override: inherit; margin: 0px; padding: 0px; vertical-align: baseline; transition-duration: 0.35s; word-break: break-word; outline: transparent solid 2px !important; outline-offset: 2px !important;">]</span></p>
Mitigation
<span id="docs-internal-guid-07fb4e2d-7fff-1461-13f3-92d6b3650faa"><p style="line-height:1.2;border-bottom:solid #16a085 1pt;margin-top:11pt;margin-bottom:5.5pt;padding:0pt 0pt 3pt 0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation (MITRE ATT&CK)</span></p><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col></colgroup><thead><tr style="height:0pt;"><th style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:top;background-color:#12202e;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation</span></p></th><th style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:top;background-color:#12202e;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></th></tr></thead><tbody><tr style="height:0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1017/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1017</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Train users to recognize tax-themed lures impersonating the IRS and SSA and to never execute a downloaded “Security Connector” or RMM installer from an unsolicited document portal.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1049/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1049</span></a></p></td><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy EDR/AV capable of flagging unauthorized RMM agent installation and obfuscated VBS execution.</span></p></td></tr><tr style="height:0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1042/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1042</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Disable Windows Script Host (wscript/cscript) where not operationally required to block VBS dropper execution.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1038/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1038</span></a></p></td><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enforce application allowlisting (WDAC/AppLocker) to block unapproved RMM binaries (ScreenConnect, Datto, Tiflux, FleetDeck).</span></p></td></tr><tr style="height:0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1052/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1052</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enforce User Account Control at its highest level and remove standing local-admin rights to defeat the dropper's runas self-elevation.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1021/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1021</span></a></p></td><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict and inspect web-based content; block downloads of MSI/EXE/VBS from newly registered or untrusted tax-themed domains.</span></p></td></tr><tr style="height:0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1037/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1037</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Filter outbound network traffic to block Adspect endpoints, unauthorized RMM relays, and known phishing infrastructure.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1031/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1031</span></a></p></td><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Use network intrusion prevention to detect and block RMM relay traffic and Telegram API exfiltration where policy permits.</span></p></td></tr><tr style="height:0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1032/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1032</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(183, 194, 204); vertical-align: middle; padding: 3.5pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enforce phishing-resistant MFA to limit the impact of credentials harvested via the Evilginx-style reverse-proxy panel.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><a href="https://attack.mitre.org/mitigations/M1018/"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(26, 82, 118); background-color: transparent; font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1018</span></a></p></td><td style="border-left:solid #b7c2cc 0.5pt;border-right:solid #b7c2cc 0.5pt;border-bottom:solid #b7c2cc 0.5pt;border-top:solid #b7c2cc 0.5pt;vertical-align:middle;background-color:#eef3f8;padding:3.5pt 6pt 3.5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:1pt;margin-bottom:1pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(18, 32, 46); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Apply least-privilege account management so fewer users can install software or run elevated processes.</span></p></td></tr></tbody></table></div></span>