Cybercriminals Exploit RMM Tools in Phishing Scams

Cybercriminals Exploit RMM Tools in Phishing Scams

Posted on By CWS

A sophisticated phishing campaign targeting U.S. taxpayers has been linked to a single cybercrime group known as The Quarry. This organized operation has been exploiting legitimate Remote Monitoring and Management (RMM) tools to deceive victims and steal sensitive information.

The Quarry’s Phishing-as-a-Service Model

Initially perceived as separate attacks impersonating the IRS, Social Security Administration, and other platforms, these incidents have been traced back to a developer offering a Phishing-as-a-Service (PhaaS) toolkit. This toolkit is sold to approximately 200 operators, enabling them to conduct phishing campaigns without creating their own tools.

Operating since at least April 2025, the toolkit provides a comprehensive suite including phishing pages, cloaking infrastructure, remote access panels, and scripts for post-exploitation activities. While tax season is a prime target, the operation adapts its tactics to remain effective throughout the year.

Cybersecurity Analysis and Threat Identification

Security experts at SOCRadar were instrumental in identifying the workings of The Quarry. They released a detailed report highlighting the activities of the threat actor, who is known by aliases such as RockyBelling and Mike. This individual manages a Telegram channel called Rocky War Room, used as a hub for product updates and support.

The campaign’s danger is amplified by its use of legitimate software like ConnectWise ScreenConnect, which allows attackers to control victims’ devices undetected. This method avoids detection by traditional security measures that would typically flag known malware.

Impact and Preventative Measures

The Quarry’s operations pose a significant risk, with over 500 victim IP addresses identified across 14 countries, predominantly in the United States. The attack begins with deceptive emails that mimic official communications, such as IRS refund notices or SSA confirmations, leading victims to fake websites.

To mitigate these threats, organizations should maintain a list of approved remote access tools and investigate any unexpected installations of ScreenConnect. Monitoring Telegram API traffic for unusual activity can also help identify potential data exfiltration.

Conclusion and Future Outlook

The Quarry continues to be a formidable threat due to its adaptability and use of legitimate software to carry out its attacks. Organizations must remain vigilant and educate their employees about the dangers of phishing scams, especially those impersonating government agencies. By implementing strict access controls and monitoring unusual activities, businesses can better protect themselves against such sophisticated cyber threats.

Cyber Security News Tags:, , , , , , , , , , , ,

Related Posts

Azure Active Directory Vulnerability Exposes credentials and Enables Attackers to Deploy Malicious Apps Azure Active Directory Vulnerability Exposes credentials and Enables Attackers to Deploy Malicious Apps Cyber Security News
DarkSword iOS Exploit Targets iPhone Users Worldwide DarkSword iOS Exploit Targets iPhone Users Worldwide Cyber Security News
Iranian SpearSpecter Attacking High-Value Officials Using Personalized Social Engineering Tactics Iranian SpearSpecter Attacking High-Value Officials Using Personalized Social Engineering Tactics Cyber Security News
Denodo Scheduler Vulnerability Let Attackers Execute Remote Code Denodo Scheduler Vulnerability Let Attackers Execute Remote Code Cyber Security News
Beware of Phishing Email from Kimusky Hackers With Subject Spetember Tax Return Due Date Notice Beware of Phishing Email from Kimusky Hackers With Subject Spetember Tax Return Due Date Notice Cyber Security News
New Magecart Attack Steals Customers Credit Cards from Website Checkout Pages New Magecart Attack Steals Customers Credit Cards from Website Checkout Pages Cyber Security News