The Quarry PhaaS Operation Uses ConnectWise ScreenConnect to Target U.S. Taxpayers
A Phishing-as-a-Service operation called The Quarry, run by an actor known as RockyBelling, has been selling toolkits to nearly 200 operators since April 2025, targeting U.S. taxpayers with IRS and SSA lures and deploying legitimate ConnectWise ScreenConnect RMM software as a silent payload.
A wave of phishing campaigns targeting American taxpayers has been traced back to a single, highly organized cybercrime operation known as The Quarry. What appeared to be dozens of unrelated incidents impersonating the IRS, Social Security Administration, and platforms like DocuSign turned out to be the work of one developer selling a Phishing-as-a-Service (PhaaS) toolkit to nearly 200 paying operators. The operation has been active since at least April 2025 and continues to run at the time of reporting.
The toolkit gives buyers everything they need to launch a full campaign without building a single tool themselves. Operators receive phishing pages, cloaking infrastructure, remote access panels, bulk email tools, and post-exploitation scripts. Tax season is the most exploited window, but the operation runs year-round, adapting its lures to whatever pretext is most convincing. Analysts at SOCRadar were the first to identify and document this ecosystem, naming it The Quarry in a report shared with Cyber Security News.
The threat actor behind it operates under the alias RockyBelling, also known as Rock, Rockky, and Mike, and runs a Telegram channel called Rocky War Room, which had 194 subscribers at the time of analysis. The channel functions as a product catalog, support desk, and announcement board for new tool releases. What makes The Quarry especially dangerous is its use of legitimate remote monitoring and management software as the final payload. Instead of deploying recognizable malware, operators deliver a silent installation of ConnectWise ScreenConnect, a widely trusted remote access tool. This lets attackers gain full control over a victim's device while bypassing detection tools that would normally flag traditional malware.
The attack begins with a bulk email designed to look like an IRS refund notice, an SSA tax filing confirmation, or a document shared through a trusted platform. When a victim clicks the link, the site quietly filters out non-Windows visitors and automated security scanners. A second layer uses Adspect, a traffic cloaking service, to block researchers before the fake page ever loads. The phishing page replicates the Social Security Administration portal with convincing detail, including the SSA seal and familiar layout sections. Victims are told to download a "Security Connector" to access their statement, while the real payload, a ScreenConnect MSI installer, downloads silently through a hidden webpage frame. In April 2026, the developer released a VBS dropper sent by email that installs ScreenConnect silently while opening a decoy PDF to distract the victim.
Once ScreenConnect is installed, operators can deploy PowerShell scripts to extract valuable data. One script pulls six months of browser history after forcibly closing the browser to unlock its database, sending the data to the operator through Telegram. A second script scans the victim's files for W-2 tax documents, targeting Social Security numbers, employer records, and salary information. The developer's Telegram channel also promotes VioletRAT, a tool with credential dumping and cookie theft capabilities. AWS access keys have been found in campaign logs, harvested from public-facing JavaScript files belonging to targeted organizations. These capabilities confirm the operation actively pursues high-value financial and corporate data beyond simple credential theft.
Over 500 distinct victim IP addresses were identified across 14 countries, with more than 90 percent of victims located in the United States. The operation already shows signs of growing downstream risk, with stolen credentials potentially being sold to ransomware groups through Initial Access Broker activity. Organizations can defend against The Quarry by maintaining an approved list of remote access tools and flagging any unexpected ScreenConnect installation immediately. Telegram API traffic from endpoints that do not normally use the platform should be investigated, as it may signal active exfiltration. Since government impersonation is central to this campaign, employees should know that the IRS and SSA never send executable downloads by email. Restricting VBScript execution from user-writable directories would further disrupt the VBS delivery chain before it can complete.