Cybercriminals are increasingly exploiting legitimate Remote Monitoring and Management (RMM) tools to gain unauthorized access to systems through sophisticated phishing campaigns. These attacks often impersonate trusted entities such as the Internal Revenue Service (IRS) and the Social Security Administration (SSA) to deceive victims into installing RMM software, granting attackers full control over their devices.
One notable operation, known as The Quarry, has been active since at least April 2025. This Phishing-as-a-Service (PhaaS) toolkit provides cybercriminals with all the necessary components to launch comprehensive phishing campaigns without developing their own tools. The Quarry offers phishing pages, cloaking infrastructure, remote access panels, bulk email tools, and post-exploitation scripts. While tax season is a prime target, the operation adapts its lures year-round to maintain effectiveness.
The Quarry’s developer, operating under aliases such as RockyBelling, Rock, Rockky, and Mike, manages a Telegram channel called Rocky War Room, which serves as a product catalog, support desk, and announcement board for new tool releases. This channel had 194 subscribers at the time of analysis, indicating a significant user base for the PhaaS toolkit.
A particularly concerning aspect of these campaigns is the use of legitimate RMM software like ConnectWise ScreenConnect as the final payload. Instead of deploying traditional malware, attackers deliver a silent installation of this trusted remote access tool, allowing them to gain full control over a victim’s device while evading detection by standard security measures.
The attack process typically begins with bulk emails designed to resemble official communications from entities like the IRS or SSA. These emails contain links that, when clicked, lead to phishing sites that filter out non-Windows visitors and automated security scanners. The phishing pages convincingly replicate official portals, complete with seals and familiar layouts, to deceive victims into downloading a “Security Connector.” Unbeknownst to the user, this action triggers a silent download and installation of the ScreenConnect MSI installer, granting attackers remote access to the system.
Analysts have identified over 500 distinct victim IP addresses across 14 countries, with more than 90% located in the United States. This widespread impact underscores the effectiveness and reach of these phishing campaigns.
In addition to The Quarry, other threat actors have been observed leveraging RMM tools in similar campaigns. For instance, the Iranian state-sponsored group MuddyWater has exploited the Atera Agent RMM tool to deliver malware, demonstrating a broader trend of abusing legitimate software for malicious purposes.
These developments highlight the evolving tactics of cybercriminals who exploit trusted tools to bypass traditional security measures. Organizations must remain vigilant, implementing robust security protocols and educating users about the risks associated with phishing campaigns and the unauthorized installation of software.
As cyber threats continue to evolve, the abuse of legitimate RMM tools in phishing campaigns represents a significant challenge for cybersecurity professionals. The ability of attackers to blend malicious activities with legitimate network traffic makes detection and prevention increasingly difficult. Organizations must adopt a multi-layered security approach, combining advanced threat detection systems with comprehensive user education to mitigate the risks posed by these sophisticated attacks.
