The Quarry PaaS ecosystem and RockyBelling's promotion of MaDoO Blaster
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Quarry was tied to MaDoO Blaster, showing a phishing-as-a-service ecosystem that packages AiTM tooling for sale. The operation was run by RockyBelling, who promoted the tool to his customers. The setup reflects a low-barrier criminal market where components are sold on Telegram and functional phishing infrastructure can be assembled quickly.
Related Happenings
ClickFix multi-loader delivery campaign targeting Windows and macOS users
Campaign
H score34
First: 16.06.2026 20:41
Last: 16.06.2026 20:41
Sources 1
About this happening:
The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...
ClickFix multi-loader delivery campaign targeting Windows and macOS users
CampaignAbout this happening: The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...
Multi-stage phishing campaign targeting users in Russia with Amnesia RAT and ransomware
Campaign
H score34
First: 24.01.2026 13:09
Last: 24.01.2026 13:09
Sources 1
About this happening:
A **multi-stage phishing campaign** is targeting **users in Russia**, delivering **Amnesia RAT** and **ransomware** that enable **credential theft**, **remote control**, and destr...
Multi-stage phishing campaign targeting users in Russia with Amnesia RAT and ransomware
CampaignAbout this happening: A **multi-stage phishing campaign** is targeting **users in Russia**, delivering **Amnesia RAT** and **ransomware** that enable **credential theft**, **remote control**, and destr...
Microsoft 365 OAuth device code phishing campaign
Campaign
H score32
First: 19.12.2025 19:19
Last: 19.12.2025 19:19
Sources 1
How related:
Of the three, saroula01's operation was the largest. Lexfo reconstructed a deleted configuration file from git history, and internal bot timestamps dated the campaign to June 2025, meaning it had run for more than a year without apparent interruption.
About this happening:
**Microsoft 365 device-code phishing** activity in **June 2025 into July 2026** used the legitimate **Microsoft device login** flow and **Evilginx-based** tooling to capture token...
Microsoft 365 OAuth device code phishing campaign
CampaignHow related: Of the three, saroula01's operation was the largest. Lexfo reconstructed a deleted configuration file from git history, and internal bot timestamps dated the campaign to June 2025, meaning it had run for more than a year without apparent interruption.
About this happening: **Microsoft 365 device-code phishing** activity in **June 2025 into July 2026** used the legitimate **Microsoft device login** flow and **Evilginx-based** tooling to capture token...
Latest development: 13.07.2026 18:30
Lexfo reconstructed a deleted configuration file and internal bot timestamps showing saroula01's OAuth Device Code Flow framework had been active since June 2025, with 218 confirmed victims across 12 countries and captured tokens refreshed up to 25 times to preserve access.
Timeline
-
13.07.2026 18:30 2 articles · 8h ago
The Quarry PaaS ecosystem and RockyBelling's promotion of MaDoO Blaster
Initial Disclosure**The Quarry** was linked to **MaDoO Blaster** as a **phishing-as-a-service** offering run by **RockyBelling**. The ecosystem showed how customer-facing promotion and low-cost tooling make **AiTM phishing** easier to commercialize.
Show sources
- Open Directory Exposes Three Evilginx Phishing Operators — www.infosecurity-magazine.com — 13.07.2026 18:30
- Open Directory Exposes Three Evilginx Phishing Operators — www.infosecurity-magazine.com — 13.07.2026 18:30