Find notable cyber news and cases, enriched with sources, timelines, and signals.

The Quarry PaaS ecosystem and RockyBelling's promotion of MaDoO Blaster

Threat Actor Meta
First reported
Last updated
Happening score
H score 14
1 unique sources, 1 articles

Summary

Hide ▲

The Quarry was tied to MaDoO Blaster, showing a phishing-as-a-service ecosystem that packages AiTM tooling for sale. The operation was run by RockyBelling, who promoted the tool to his customers. The setup reflects a low-barrier criminal market where components are sold on Telegram and functional phishing infrastructure can be assembled quickly.

Related Happenings

ClickFix multi-loader delivery campaign targeting Windows and macOS users

Campaign
H score34 First: 16.06.2026 20:41 Last: 16.06.2026 20:41 Sources 1

About this happening: The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...

Multi-stage phishing campaign targeting users in Russia with Amnesia RAT and ransomware

Campaign
H score34 First: 24.01.2026 13:09 Last: 24.01.2026 13:09 Sources 1

About this happening: A **multi-stage phishing campaign** is targeting **users in Russia**, delivering **Amnesia RAT** and **ransomware** that enable **credential theft**, **remote control**, and destr...

Microsoft 365 OAuth device code phishing campaign

Campaign
H score32 First: 19.12.2025 19:19 Last: 19.12.2025 19:19 Sources 1

How related: Of the three, saroula01's operation was the largest. Lexfo reconstructed a deleted configuration file from git history, and internal bot timestamps dated the campaign to June 2025, meaning it had run for more than a year without apparent interruption.

About this happening: **Microsoft 365 device-code phishing** activity in **June 2025 into July 2026** used the legitimate **Microsoft device login** flow and **Evilginx-based** tooling to capture token...

Latest development: 13.07.2026 18:30

Lexfo reconstructed a deleted configuration file and internal bot timestamps showing saroula01's OAuth Device Code Flow framework had been active since June 2025, with 218 confirmed victims across 12 countries and captured tokens refreshed up to 25 times to preserve access.

Timeline

  1. 13.07.2026 18:30 2 articles · 8h ago

    The Quarry PaaS ecosystem and RockyBelling's promotion of MaDoO Blaster

    Initial Disclosure

    **The Quarry** was linked to **MaDoO Blaster** as a **phishing-as-a-service** offering run by **RockyBelling**. The ecosystem showed how customer-facing promotion and low-cost tooling make **AiTM phishing** easier to commercialize.

    Show sources