CybersecurityNews and SOCRadar published the first public documentation of “The Quarry” on June 16, 2026 — a Phishing-as-a-Service platform active since at least April 2026 that has been used in campaigns against more than 500 confirmed victims. The platform provides subscribers with IRS, Social Security Administration, and DocuSign impersonation infrastructure that delivers ConnectWise ScreenConnect as its payload, giving operators a persistent remote desktop session to victims’ machines for credential theft, banking session hijacking, and lateral movement into corporate networks.
How The Quarry Installs ConnectWise ScreenConnect After an IRS Phishing Lure
The attack chain begins with a phishing email impersonating the IRS, SSA, or DocuSign. The email warns the recipient of a tax filing issue, a benefit requiring action, or an urgent document requiring signature — lures designed to prompt immediate clicking. The victim is directed to a phishing page managed through The Quarry’s infrastructure, where they are prompted to download what appears to be a required form or document signature client. The downloaded payload is a customized ConnectWise ScreenConnect remote access client.
Once the victim runs the installer, the threat actor gains a persistent remote desktop session to the victim’s machine. Post-compromise activity observed by researchers includes credential theft, banking session hijacking, and — in enterprise victim cases — lateral movement into corporate networks.
ConnectWise ScreenConnect: A Legitimate Remote Access Tool That Bypasses Security Controls
ConnectWise ScreenConnect is a legitimate enterprise remote support tool used by IT departments globally. Antivirus software, endpoint detection and response platforms, and enterprise security tools that maintain allowlists for legitimate remote access tools will not flag ConnectWise ScreenConnect as malware — it is not malware. When The Quarry’s subscribers install it on a victim’s device through a phishing chain, the victim’s computer becomes a managed endpoint in the attacker’s remote access fleet.
Security tools that would detect and block traditional remote access trojans have no mechanism to distinguish a ConnectWise ScreenConnect installation authorized by an IT department from one installed by a threat actor through a phishing chain.
Subscription Model With Tiered Access and a Real-Time Victim Dashboard
The Quarry operates with a subscription model offering tiered access. Basic subscribers receive pre-built lure templates and hosted phishing pages. Premium subscribers receive dedicated subdomains with valid TLS certificates, custom lure branding, and a real-time victim dashboard showing which targets have clicked and installed the ScreenConnect payload.
Researchers found The Quarry’s administration panel exposed due to a misconfiguration, which is how the 500+ victim count and subscriber activity logs were discovered and confirmed. The platform has been operational since at least April 2026 — fewer than three months of operation before CybersecurityNews and SOCRadar’s first public disclosure.
Why IRS and SSA Lures Are Particularly Effective in June
The Quarry’s IRS and SSA impersonation lures are designed to reach US individuals interacting with federal tax and benefits systems. The June filing-deadline period creates elevated baseline anxiety around tax compliance, making lures that warn of filing issues or required document actions more likely to prompt immediate clicks without scrutiny.
The platform’s use of ConnectWise ScreenConnect as the payload — rather than a traditional RAT or credential stealer — means the post-compromise tooling is a legitimate application that victims may have seen used by genuine IT support in the past, further reducing suspicion after installation.
Over 500 Confirmed Victims Since April 2026
Researchers confirmed more than 500 victims in the course of reviewing The Quarry’s exposed administration panel. The victim pool reflects the IRS and SSA lure targeting, which is specifically designed to reach US taxpayers and benefits recipients.
US residents who received IRS or SSA impersonation emails since April 2026 and clicked on document links should check their devices for ConnectWise ScreenConnect installations and verify with the IRS whether any unauthorized tax returns have been filed in their name.
