The Quarry: Inside the PhaaS Operation Behind Hundreds of IRS and SSA Phishing Campaigns
ID: 96b08715-af1c-5138-93c0-7d8d83d0b2e7
STIX ID: report--96b08715-af1c-5138-93c0-7d8d83d0b2e7
Feed Name: SOCRadar Blog
Threat Score
SOCRadar documents "The Quarry," a commercialized phishing ecosystem operated by "RockyBelling" that provides nearly 200 affiliates with customizable phishing kits, Adspect-based cloaking, Telegram-based victim logging, self-hosted ScreenConnect RMM installers (used as final payload), and a VBS dropper with UAC bypass; the operation has been active since April 2025, targets mostly U.S. taxpayers and enterprise sectors, and includes IoCs and detection/mitigation guidance.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
