Hackers Use Legitimate RMM Tools in IRS and SSA Phishing Campaigns

A phishing-as-a-service operation called The Quarry is helping cybercriminals impersonate the IRS, the Social Security Administration, DocuSign, Adobe, Microsoft, and other trusted brands to trick victims into installing legitimate remote access software.

According to SOCRadar, the operation has been active since at least April 2025 and remains active in 2026. Researchers said one developer, known as RockyBelling, Rockky, Rock, and Mike, built and maintains a modular phishing and malware-as-a-service ecosystem used by nearly 200 affiliates.

The campaign stands out because it does not rely on traditional malware as its main payload. Instead, operators abuse ConnectWise ScreenConnect, a legitimate remote monitoring and management tool, to gain remote access to Windows systems after victims are tricked into running a fake “Security Connector.”

The Quarry Turns Phishing Into a Managed Criminal Service

The Quarry gives operators the infrastructure needed to run full phishing campaigns without building their own tools. Buyers can use phishing pages, traffic cloaking, self-hosted ScreenConnect panels, bulk email tools, payload staging systems, Telegram bots, and post-exploitation scripts.

The lures often focus on tax season. Emails impersonate IRS refund notices, SSA tax filing confirmations, W-2 workflows, and document-sharing services. However, the same backend can also support other themes, including Adobe, Dropbox, DocuSign, Microsoft, Messenger, and event invitation scams.

The SOCRadar report found more than 80 domains, more than 40 ScreenConnect panels, and more than 500 distinct victim IP addresses across 14 countries between April 2025 and April 2026. More than 90% of observed victims were in the United States.

Campaign element	How The Quarry uses it
Government impersonation	Fake IRS and SSA pages are used to make victims trust the download prompt
Brand impersonation	DocuSign, Adobe, Dropbox, Microsoft, and other trusted platforms appear in lure themes
RMM payload	ScreenConnect is installed to give attackers remote control of the victim system
Traffic cloaking	Adspect filters out researchers, bots, scanners, and non-Windows visitors
Telegram bots	Operators receive victim notifications and exfiltrated data through Telegram

ScreenConnect Abuse Makes the Attack Harder to Detect

ScreenConnect is a real remote support platform used by businesses for IT troubleshooting and device management. That makes it useful for attackers, because security tools may treat it differently from unknown malware.

Red Canary warned that remote monitoring and management tools are legitimate administrative utilities, but attackers abuse them because they are reliable, easy to use, and capable of giving full control over a compromised endpoint.

Malwarebytes previously reported a similar SSA-themed phishing campaign that tricked users into installing ScreenConnect by pretending to offer a Social Security statement. The Quarry builds on the same idea but packages it into a broader service that affiliates can reuse across many campaigns.

How the IRS and SSA Phishing Attack Works

The attack usually starts with a phishing email. The message may claim that the recipient has a tax refund, a Social Security statement, a filing confirmation, a shared document, or another time-sensitive notice.

When the victim clicks the link, the phishing kit filters the visitor before showing the fake page. It checks whether the visitor uses Windows, then applies Adspect cloaking to separate real victims from automated scanners, sandboxes, and researchers.

If the visitor passes the checks, the fake page loads. In the SSA-themed version, the page copies government-style branding and prompts the victim to download a “Security Connector” to access a statement. The download is actually a ScreenConnect installer.

1. The victim receives a phishing email impersonating the IRS, SSA, or a trusted document platform.
2. The phishing site checks the user’s device and filters out unwanted visitors.
3. Adspect cloaking redirects researchers and scanners away from the real lure page.
4. The victim sees a fake government or document portal.
5. The page prompts the victim to download and run a “Security Connector.”
6. ScreenConnect installs and gives the operator remote access.
7. Post-exploitation scripts can search for browser history, W-2 files, credentials, and other sensitive data.

Post-Exploitation Tools Target Tax and Browser Data

The Quarry does not stop after remote access. Researchers found post-exploitation PowerShell scripts designed to collect sensitive information after ScreenConnect is installed.

One script closes Chrome or Edge to unlock browser history databases, then extracts six months of browsing history and sends it through Telegram. Another script searches the user profile for filenames containing “w2,” a sign that attackers want tax documents containing personal, employer, and income information.

SOCRadar also reported evidence that stolen credentials and access may feed initial access broker activity. That means a successful phishing incident could later create risk from fraud groups, data thieves, or ransomware operators.

Data or access targeted	Why attackers want it
Browser history	Shows financial services, business portals, cloud apps, and other high-value targets
W-2 files	Can expose Social Security numbers, employer details, and income data
Remote system access	Allows hands-on intrusion, credential theft, and follow-on attacks
AWS keys and corporate secrets	Can lead to cloud compromise, data theft, or resale to other criminals

Government Impersonation Remains a Key Warning Sign

The real IRS tells users not to reply to suspicious tax-related messages, click links, or open attachments. The agency’s phishing guidance also says suspicious IRS or Treasury emails should be reported to [email protected].

The Social Security Administration also warns users to watch for fake calls, texts, emails, websites, social media messages, and letters claiming to come from SSA or its Office of the Inspector General.

Any email that claims to be from the IRS or SSA and asks the user to install software should be treated as suspicious. The IRS says it does not email users without permission, and the SSA scam page warns that criminals impersonate government agencies to steal personal information or money.

Security Teams Should Watch for Unauthorized RMM Tools

Organizations should maintain an approved list of remote access tools and alert on any unexpected ScreenConnect installation. That matters because RMM abuse can look like normal IT activity unless endpoint and network monitoring tools know which remote support products are allowed.

The Red Canary threat report recommends monitoring RMM activity because attackers can use these tools to access the desktop interface, command line, and files on a compromised system.

Security teams should also watch for Telegram API traffic from endpoints that do not normally use Telegram. In The Quarry campaigns, Telegram supports victim notifications and data exfiltration, so unusual HTTPS POST traffic to api.telegram.org can help identify active compromise.

• Block or alert on unauthorized ScreenConnect, Datto, Tiflux, FleetDeck, and other remote access tools.
• Investigate ScreenConnect installations that follow email clicks, browser downloads, or script execution.
• Monitor Telegram API traffic from managed endpoints.
• Restrict VBScript execution from user-writable directories.
• Train employees to distrust IRS or SSA emails that request downloads or attachments.
• Review DNS and proxy logs for fiscal, tax, SSA, portal, archive, guidance, and document-viewer domain patterns.
• Search endpoints for recent ScreenConnect MSI installs tied to unknown servers.

Indicators Linked to The Quarry Campaigns

The Quarry infrastructure uses domains that combine tax, SSA, estate, trust, inherit, portal, archive, guidance, sync, and document-verification themes. These domains should be handled carefully in defensive tools and threat intelligence systems.

Type	Indicator	Description
Domain	estatetaxarchives[.]com	Tax-themed phishing infrastructure
Domain	hub.ssa-guidance[.]com	SSA-themed phishing infrastructure
Domain	inherittaxpapers[.]site	Tax document lure domain
Domain	verify.federal-docviewer[.]com	Fake federal document service domain
Domain	apps.docu-sign[.]net	DocuSign impersonation domain
Domain	secure.login-socialsecurity[.]com	SSA login impersonation domain
MD5	8974830446d35e234881696092aded87	Malicious payload sample
MD5	ef970697c5094c443f0456774cfee9bc	Malicious payload sample

Defenders should avoid relying only on static indicators. Domains and hashes can change quickly, while the broader behavior remains consistent: government-themed phishing, cloaked traffic, a fake download prompt, unauthorized RMM installation, and Telegram-based reporting.

Malwarebytes Labs warned that ScreenConnect can become dangerous when criminals persuade users to install it. The Quarry shows how that tactic can scale when a developer packages phishing, delivery, access, and post-exploitation into one service.

The campaign gives organizations a clear lesson: do not treat trusted remote access tools as automatically safe. A legitimate tool installed by the wrong person can become the attacker’s remote control channel.

FAQ