Home/ Threat Actors/ Rocke

🌐Rocke

🌐 Rocke is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 36 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0106) ↗

14Use cases

0Articles

36Techniques

0IOCs

About this actor (MITRE)

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)

Known aliases

Rocke

Top techniques

T1014 · Rootkit T1018 · Remote System Discovery T1021.004 · SSH

All other tracked techniques

T1027 · Obfuscated Files or Information T1027.002 · Software Packing T1027.004 · Compile After Delivery T1036.005 · Match Legitimate Resource Name or Location T1037 · Boot or Logon Initialization Scripts T1046 · Network Service Discovery T1053.003 · Cron T1055.002 · Portable Executable Injection T1057 · Process Discovery T1059.004 · Unix Shell T1059.006 · Python T1070.004 · File Deletion T1070.006 · Timestomp T1071 · Application Layer Protocol T1071.001 · Web Protocols T1082 · System Information Discovery T1102 · Web Service T1102.001 · Dead Drop Resolver T1105 · Ingress Tool Transfer T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1222.002 · Linux and Mac Permissions T1496.001 · Compute Hijacking T1518.001 · Security Software Discovery T1543.002 · Systemd Service T1547.001 · Registry Run Keys / Startup Folder T1552.004 · Private Keys T1564.001 · Hidden Files and Directories T1571 · Non-Standard Port T1574.006 · Dynamic Linker Hijacking T1685 · Disable or Modify Tools T1685.006 · Clear Linux or Mac System Logs T1686 · Disable or Modify System Firewall

Detection use cases (14)

Rocke (Iron) — Linux cloud-agent uninstall preceding XMRig/Kinsing miner launch AI · profile SΣ Rocke — Linux web-app exploit (Struts/WebLogic/ColdFusion) spawning shell that pulls dropper from Pastebin/Gitee with cron persistence AI · profile S Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain MITRE match