Cybercriminals Exploit RMM Tools in Phishing Scams

Cybercriminals Exploit RMM Tools in Phishing Scams

Posted on By CWS

A sophisticated phishing campaign targeting U.S. taxpayers has been linked to a single cybercrime group known as The Quarry. This organized operation has been exploiting legitimate Remote Monitoring and Management (RMM) tools to deceive victims and steal sensitive information.

The Quarry’s Phishing-as-a-Service Model

Initially perceived as separate attacks impersonating the IRS, Social Security Administration, and other platforms, these incidents have been traced back to a developer offering a Phishing-as-a-Service (PhaaS) toolkit. This toolkit is sold to approximately 200 operators, enabling them to conduct phishing campaigns without creating their own tools.

Operating since at least April 2025, the toolkit provides a comprehensive suite including phishing pages, cloaking infrastructure, remote access panels, and scripts for post-exploitation activities. While tax season is a prime target, the operation adapts its tactics to remain effective throughout the year.

Cybersecurity Analysis and Threat Identification

Security experts at SOCRadar were instrumental in identifying the workings of The Quarry. They released a detailed report highlighting the activities of the threat actor, who is known by aliases such as RockyBelling and Mike. This individual manages a Telegram channel called Rocky War Room, used as a hub for product updates and support.

The campaign’s danger is amplified by its use of legitimate software like ConnectWise ScreenConnect, which allows attackers to control victims’ devices undetected. This method avoids detection by traditional security measures that would typically flag known malware.

Impact and Preventative Measures

The Quarry’s operations pose a significant risk, with over 500 victim IP addresses identified across 14 countries, predominantly in the United States. The attack begins with deceptive emails that mimic official communications, such as IRS refund notices or SSA confirmations, leading victims to fake websites.

To mitigate these threats, organizations should maintain a list of approved remote access tools and investigate any unexpected installations of ScreenConnect. Monitoring Telegram API traffic for unusual activity can also help identify potential data exfiltration.

Conclusion and Future Outlook

The Quarry continues to be a formidable threat due to its adaptability and use of legitimate software to carry out its attacks. Organizations must remain vigilant and educate their employees about the dangers of phishing scams, especially those impersonating government agencies. By implementing strict access controls and monitoring unusual activities, businesses can better protect themselves against such sophisticated cyber threats.

Cyber Security News Tags:, , , , , , , , , , , ,

Related Posts

Hackers Exploit Intel Utility for Covert Malware Deployment Hackers Exploit Intel Utility for Covert Malware Deployment Cyber Security News
Windows Server 2016 Bug Affects Domain Controllers Windows Server 2016 Bug Affects Domain Controllers Cyber Security News
Hackers Weaponize AWS X-Ray Service to Work as Covert Command & Control Server Hackers Weaponize AWS X-Ray Service to Work as Covert Command & Control Server Cyber Security News
Hackers Exploiting .onmicrosoft.com Domains to Launch TOAD Scam Attack Hackers Exploiting .onmicrosoft.com Domains to Launch TOAD Scam Attack Cyber Security News
Windows 11 24H2/25H2 Update Causes Task Manager to be Active After Closure Windows 11 24H2/25H2 Update Causes Task Manager to be Active After Closure Cyber Security News
Ivanti EPMM Vulnerabilities Threaten Global Networks Ivanti EPMM Vulnerabilities Threaten Global Networks Cyber Security News