The SOCRadar Threat Research team has uncovered an active Malware-as-a-Service (MaaS) and Phishing-as-a-Service (PhaaS) operation active since 2025 by developer “RockyBelling,” who supplies phishing kits, cloaking services, remote management tooling, and supporting infrastructure to nearly 200 operators conducting independent campaigns.
The report The Quarry: Tracing a Cybercriminal Operation analyzes the complete attack chain, including bulk email distribution, tax-themed phishing campaigns impersonating government agencies and major software providers, traffic cloaking through Adspect, deployment of remote monitoring and management (RMM) tools, Telegram-based victim monitoring, and post-compromise activities. It also examines infrastructure patterns, attribution findings, victimology, and operational techniques used to evade detection while scaling attacks across multiple regions and sectors.
Key Highlights:
- Detailed analysis of a large-scale MaaS and PhaaS ecosystem operating since at least 2025
- Attribution of the operation’s developer, infrastructure, and affiliate network
- Breakdown of the complete attack lifecycle from phishing to post-exploitation
- Examination of cloaking, traffic filtering, and anti-analysis techniques
- Analysis of phishing lures impersonating government agencies and major brands
- Insights into Telegram-based operations, infrastructure management, and affiliate activity
- Victimology, geographic targeting, sector distribution, and observed TTPs
- Indicators of Compromise (IoCs) and defensive recommendations for security teams
Have a look at the report The Quarry: Tracing a Cybercriminal Operation.
Related
This entry was posted on June 15, 2026 at 3:44 pm and is filed under Commentary with tags SOCRadar. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
SOCRadar Uncovers Large-Scale “RockyBelling” MaaS and PhaaS Operation
The SOCRadar Threat Research team has uncovered an active Malware-as-a-Service (MaaS) and Phishing-as-a-Service (PhaaS) operation active since 2025 by developer “RockyBelling,” who supplies phishing kits, cloaking services, remote management tooling, and supporting infrastructure to nearly 200 operators conducting independent campaigns.
The report The Quarry: Tracing a Cybercriminal Operation analyzes the complete attack chain, including bulk email distribution, tax-themed phishing campaigns impersonating government agencies and major software providers, traffic cloaking through Adspect, deployment of remote monitoring and management (RMM) tools, Telegram-based victim monitoring, and post-compromise activities. It also examines infrastructure patterns, attribution findings, victimology, and operational techniques used to evade detection while scaling attacks across multiple regions and sectors.
Key Highlights:
Have a look at the report The Quarry: Tracing a Cybercriminal Operation.
Share this:
Like this:
Related
This entry was posted on June 15, 2026 at 3:44 pm and is filed under Commentary with tags SOCRadar. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.