In a significant revelation regarding cybercrime operations, a lone developer known by the pseudonym RockyBelling has reportedly created a sophisticated PhaaS (Phishing-as-a-Service) and MaaS (Malware-as-a-Service) ecosystem, which is now being employed by affiliates globally to launch targeted phishing campaigns aimed primarily at U.S. victims, focusing on IRS and Social Security Administration themes.
Recent investigative analysis conducted by SOCRadar, spanning the period from April 2025 to April 2026, has established connections among nearly 200 affiliates utilizing a commercially available toolkit. This toolkit features advanced cloaking capabilities, versatile payload options, real-time victim telemetry through Telegram communication, and self-hosted remote management (RMM) panels, all designed to transform credential theft into sustained access for cybercriminals.
At the heart of this enterprise lies a meticulously sold and supported suite of products. This includes phishing kits endowed with an Adspect cloaking feature, a mass-mailing tool dubbed Rocky Gmail Sender, and specialized credential harvesting panels. The offering further extends to post-exploitation PowerShell scripts and self-hosted ScreenConnect RMM panels that are provisioned uniquely for each affiliate.
RockyBelling manages a Telegram channel named Rocky War Room, which not only operates as a storefront for his criminal services but also serves as a support desk and an announcement platform. This multifaceted channel is crucial for facilitating communication between RockyBelling and his network of affiliates.
Analysis indicates that the available code and related artifacts tied to RockyBelling’s GitLab account, along with unique embedded Telegram bot tokens and infrastructure fingerprints, provide a pathway for attributing the operation to this singular developer. Continuous updates and enhancements are a hallmark of RockyBelling’s operation, exemplified by the April 2026 introduction of a Visual Basic Script (VBS) dropper featuring a User Account Control (UAC) bypass.
The operational framework of this phishing ecosystem is intricately layered, employing advanced filtering techniques and precise targeting strategies. The initial checks are designed to block non-Windows User-Agents, consequently redirecting likely web crawlers to benign pages. Enhanced cloaking techniques leverage Adspect, utilizing fingerprinting methods such as WebGL, timezone adjustments, touch events, and other telemetry data in order to serve the phishing page exclusively to human profiles using Windows systems.
The malware uses URL-fragment randomization and changes download directories with each visit, thus complicating automated analysis and stymying static blocklisting efforts. Under multiple aliases, including Rock, Rockky, and Mike, RockyBelling’s activities extend to employing the aforementioned Telegram channel, which contained 194 subscribers at the time of initial analysis.
Victims navigating to the deceptive pages, which convincingly mimic IRS or Social Security portals, are subtly guided into downloading a “Security Connector.” This maneuver normalizes the execution of the installer that follows, further embedding the malware capabilities into the victim’s system.
SOCRadar has designated this cybercrime ecosystem as “The Quarry,” which has been operational since at least April 2025. The method of payload delivery typically favors the use of legitimate remote management software, granting affiliates access to ScreenConnect MSI or EXE files designed to install unnoticed and furnish interactive remote access.
Throughout the investigative timeline, analysts identified over 40 distinct ScreenConnect panels along with more than 80 campaign domains utilized for these deceptive operations. Telegram primarily serves as the lightweight command-and-control (C2) and telemetry backbone for the operation, instantly relaying critical data—such as victim download events, IPs, and timestamps—to affiliate bots.
The technical framework of this operation incorporates PHP files with randomly generated names that run sophisticated browser fingerprinting routines through Adspect. This mobile-centric monitoring model enables operators to quickly assess victims and respond without relying on persistent desktop infrastructure.
In April 2026, RockyBelling’s enhancement of a VBS dropper further improved the success rate of the operation by bypassing various web delivery phases altogether. This obfuscated script seeks elevated privileges via a UAC prompt, quietly installs the RMM while simultaneously opening a decoy PDF to maintain the illusion of legitimacy, and erases forensic traces once the installation is complete.
Moreover, specialized post-exploitation tools tackle U.S. tax fraud directly. PowerShell scripts are utilized to harvest the last six months of a victim’s browser history while systematically searching for W-2 files, exfiltrating this sensitive data directly to Telegram.
A small percentage of victims are believed to include U.S.-based individuals working remotely from abroad, those with U.S. tax obligations but residing internationally, and users employing VPN services. Notable countries identified among the non-U.S. victims encompass Egypt, Brazil, Germany, Japan, and Canada.
Logs retrieved from the monitored bot network further expose AWS credentials among other corporate secrets being captured. Evidence suggests involvement in Initial Access Broker activities, leading to potential downstream sales of obtained credentials to groups engaged in ransomware attacks.
To effectively combat such sophisticated operations, security professionals must prioritize detecting the unique technical signatures associated with the criminal contributions of RockyBelling. These include patterns such as Adspect stream_id reuse across varying domains, characteristic PHP filenames, and unique payload naming conventions, along with embedded Telegram bot tokens in the web server code.
Organizations are urged to implement robust practices, including blocking known malicious domain clusters, monitoring outgoing connections to suspicious RMM panels, restricting the use of Telegram API calls from corporate networks, and enforcing strict policies regarding email attachments and script handling.
The Quarry serves as a sobering example of how a singular yet well-supported cybercriminal product can amplify affiliate operations while deftly evading conventional detection mechanisms. Public and private sector defenders are advised to recognize these campaigns as interconnected service-driven threats, necessitating proactive measures to hunt for reusable artifacts rather than treating them as isolated phishing incidents.