Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns
A wave of phishing campaigns targeting American taxpayers has been traced back to a single, highly organized cybercrime operation known as The Quarry.
What appeared to be dozens of unrelated incidents impersonating the IRS, Social Security Administration, and platforms like DocuSign turned out to be the work of one developer selling a Phishing-as-a-Service (PhaaS) toolkit to nearly 200 paying operators.
The operation has been active since at least April 2025 and continues to run at the time of reporting.
The toolkit gives buyers everything they need to launch a full campaign without building a single tool themselves. Operators receive phishing pages, cloaking infrastructure, remote access panels, bulk email tools, and post-exploitation scripts.
Tax season is the most exploited window, but the operation runs year-round, adapting its lures to whatever pretext is most convincing.
Analysts at SOCRadar were the first to identify and document this ecosystem, naming it The Quarry in a report shared with Cyber Security News (CSN).
The threat actor behind it operates under the alias RockyBelling, also known as Rock, Rockky, and Mike, and runs a Telegram channel called Rocky War Room, which had 194 subscribers at the time of analysis.
The channel functions as a product catalog, support desk, and announcement board for new tool releases.
What makes The Quarry especially dangerous is its use of legitimate remote monitoring and management software as the final payload.
Instead of deploying recognizable malware, operators deliver a silent installation of ConnectWise ScreenConnect, a widely trusted remote access tool.
This lets attackers gain full control over a victim’s device while bypassing detection tools that would normally flag traditional malware.
The operation already shows signs of growing downstream risk, with stolen credentials potentially being sold to ransomware groups through Initial Access Broker activity.
Over 500 distinct victim IP addresses were identified across 14 countries, with more than 90 percent of victims located in the United States.
Hackers Abuse Legitimate RMM Tools
The attack begins with a bulk email designed to look like an IRS refund notice, an SSA tax filing confirmation, or a document shared through a trusted platform.
When a victim clicks the link, the site quietly filters out non-Windows visitors and automated security scanners. A second layer uses Adspect, a traffic cloaking service, to block researchers before the fake page ever loads.
The phishing page replicates the Social Security Administration portal with convincing detail, including the SSA seal and familiar layout sections.
Victims are told to download a “Security Connector” to access their statement, while the real payload, a ScreenConnect MSI installer, downloads silently through a hidden webpage frame.
In April 2026, the developer released a VBS dropper sent by email that installs ScreenConnect silently while opening a decoy PDF to distract the victim.
Post-Exploitation Tools and Victim Impact
Once ScreenConnect is installed, operators can deploy PowerShell scripts to extract valuable data. One script pulls six months of browser history after forcibly closing the browser to unlock its database, sending the data to the operator through Telegram.
A second script scans the victim’s files for W-2 tax documents, targeting Social Security numbers, employer records, and salary information.
The developer’s Telegram channel also promotes VioletRAT, a tool with credential dumping and cookie theft capabilities.
AWS access keys have been found in campaign logs, harvested from public-facing JavaScript files belonging to targeted organizations.
These capabilities confirm the operation actively pursues high-value financial and corporate data beyond simple credential theft.
Organizations can defend against The Quarry by maintaining an approved list of remote access tools and flagging any unexpected ScreenConnect installation immediately.
Telegram API traffic from endpoints that do not normally use the platform should be investigated, as it may signal active exfiltration.
Since government impersonation is central to this campaign, employees should know that the IRS and SSA never send executable downloads by email. Restricting VBScript execution from user-writable directories would further disrupt the VBS delivery chain before it can complete.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | estatetaxarchives.com | Operator-registered phishing domain, fiscal-portal naming pattern |
| Domain | hub.ssa-guidance.com | Operator-registered phishing domain impersonating SSA |
| Domain | inherittaxpapers.site | Operator-registered phishing domain, fiscal-portal naming pattern |
| Domain | verify.federal-docviewer.com | Operator-registered phishing domain impersonating federal document service |
| Domain | portal.federalverify-ssaclientportal.com | Operator-registered phishing domain impersonating SSA |
| Domain | trusttaxportal.com | Operator-registered phishing domain, fiscal-portal naming pattern |
| Domain | estatetaxrecords.com | Operator-registered phishing domain, fiscal-portal naming pattern |
| Domain | tax-filecenter-irs.matthewtarwater.com | Compromised domain hosting The Quarry phishing kit |
| Domain | apps.docu-sign.net | Operator-registered phishing domain impersonating DocuSign |
| Domain | secure.login-socialsecurity.com | Operator-registered phishing domain impersonating SSA login |
| Domain | hub.ssa-userstatus.com | Operator-registered phishing domain impersonating SSA |
| Domain | secure.ssa-documentsync.com | Operator-registered phishing domain impersonating SSA |
| MD5 Hash | 8974830446d35e234881696092aded87 | Malicious payload sample identified during research |
| MD5 Hash | ef970697c5094c443f0456774cfee9bc | Malicious payload sample identified during research |
| MD5 Hash | 935413b08ef60cd819b2e1b573fc9050 | Malicious payload sample identified during research |
| MD5 Hash | 2163afa18a3cdfa525b767e0e1baaba1 | Malicious payload sample identified during research |
| MD5 Hash | 1827aa636cd86d1a4064e112aa197303 | Malicious payload sample identified during research |
| MD5 Hash | 00b69eb7f44b5987f68667343aaafb6a | Malicious payload sample identified during research |
| MD5 Hash | 01ab231bcd9533f90e99651521b6e1bb | Malicious payload sample identified during research |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news