The Quarry: Tracing a Cybercriminal Operation
Cybercrime-as-a-Service has evolved into a mature ecosystem where developers, affiliates, phishing infrastructure, and remote access tools operate as interconnected services.
The Quarry: Tracing a Cybercriminal Operation provides an in-depth investigation into an active Malware-as-a-Service (MaaS) and Phishing-as-a-Service (PhaaS) operation identified by SOCRadar Threat Research. The report traces the operation from large-scale phishing distribution and infrastructure management to victim targeting, payload delivery, and threat actor attribution. Researchers uncovered a structured criminal ecosystem centered around a developer known as “RockyBelling,” who supplies phishing kits, cloaking services, remote management tooling, and supporting infrastructure to nearly 200 operators conducting independent campaigns.
The report analyzes the complete attack chain, including bulk email distribution, tax-themed phishing campaigns impersonating government agencies and major software providers, traffic cloaking through Adspect, deployment of remote monitoring and management (RMM) tools, Telegram-based victim monitoring, and post-compromise activities. It also examines infrastructure patterns, attribution findings, victimology, and operational techniques used to evade detection while scaling attacks across multiple regions and sectors.
Key Highlights:
- Detailed analysis of a large-scale MaaS and PhaaS ecosystem operating since at least 2025
- Attribution of the operation’s developer, infrastructure, and affiliate network
- Breakdown of the complete attack lifecycle from phishing to post-exploitation
- Examination of cloaking, traffic filtering, and anti-analysis techniques
- Analysis of phishing lures impersonating government agencies and major brands
- Insights into Telegram-based operations, infrastructure management, and affiliate activity
- Victimology, geographic targeting, sector distribution, and observed TTPs
- Indicators of Compromise (IoCs) and defensive recommendations for security teams
This report is designed for threat intelligence analysts, SOC teams, incident responders, cyber threat hunters, and security leaders seeking a deeper understanding of modern cybercrime service ecosystems and the infrastructure that enables large-scale phishing operations.
➡️ Download the full report to explore the tactics, infrastructure, attribution findings, and operational mechanics behind one of the most structured cybercriminal service operations observed by SOCRadar Threat Research.