Rocke (G0106): Evolution of a Persistent Cryptojacking Adversary
- Suspected Origin
- China
- Motivation
- Financial Gain
- Aliases
- None documented
- Target Sectors
- N/A
- Associated Malware
- LSD, Pro-Ocean, Xbash, Godlua, Kerberods, XMRig, libprocesshider, TermsHost.exe, kworkerds
Overview
Rocke (MITRE ATT&CK ID G0106) is a financially motivated cybercrime group widely associated with cryptojacking operations, primarily targeting Linux-based systems and cloud environments to illicitly mine Monero cryptocurrency. First observed in April 2018 by Cisco Talos researchers, the group is considered an alleged Chinese-speaking adversary. While strong overlaps have been noted with the “Iron Cybercrime Group” (also known as Aged Libra, SystemTen, Kerberods/Khugepageds, and ex-Rocke), official attribution has not been definitively confirmed by all researchers. The group’s name originates from the email address “[email protected],” which was used to register the cryptocurrency wallet holding their ill-gotten gains.
Rocke’s operational tempo has remained consistently high since its emergence, demonstrating a remarkable capacity for evolving its tactics, techniques, and procedures (TTPs) to evade detection and maintain persistence. Their core objective is resource hijacking, turning compromised systems into cryptocurrency mining farms. Although the group has also been linked to ransomware operations involving the Xbash malware, their primary and consistent focus appears to be cryptojacking, often deploying destructive ransomware payloads that delete data without recovery, suggesting that the initial ransomware component might sometimes be a diversion or a means to remove competition, rather than a primary revenue stream. Their activities degrade system performance, increase energy consumption, and introduce significant security blind spots within affected environments.
Tactics & Techniques
Rocke employs a diverse and evolving set of TTPs to achieve and maintain control over target systems, primarily focusing on public-facing applications and Linux infrastructure.
Initial Access: The group primarily gains initial access by exploiting known vulnerabilities in popular public-facing applications. Historically, these have included Apache Struts, Oracle WebLogic (notably CVE-2017-10271), Adobe ColdFusion (CVE-2017-3066), and later expanded to include Confluence (CVE-2019-3396), Apache ActiveMQ (CVE-2016-3088), Jenkins, and unsecure Redis instances. Spear phishing has also been identified as a potential initial access vector.
Execution: Upon gaining access, Rocke actors typically download and execute shell scripts, Python-based malware, or Golang scripts. They frequently use standard Linux utilities like curl and wget to fetch additional payloads from their command and control (C2) servers.
Persistence: To ensure their cryptominers run continuously, Rocke establishes persistence through various methods. This includes creating cron jobs, installing init.d startup scripts, deploying systemd service scripts, and modifying .bashrc files. They also create services configured to execute on system startup.
Defense Evasion: Rocke is particularly adept at evading detection. Their malware has been observed killing other cryptocurrency mining processes and adding iptables rules to block competing miners, effectively monopolizing system resources. They also actively detect and uninstall agent-based cloud security products, specifically targeting monitors from Alibaba Cloud and Tencent Cloud, demonstrating a focus on cloud workload protection evasion. Further evasion tactics include using the libprocesshider tool with the LD_PRELOAD trick to hide malicious processes from the ps command, clearing log files from /var/log/, modifying file timestamps, and even injecting their miner, “TermsHost.exe,” into legitimate Windows processes like Notepad.exe. The group also modifies UPX headers of packed files to hinder reverse engineering efforts.
Lateral Movement: Rocke aims to spread its cryptomining operations across networks. They achieve this by looking for and leveraging SSH private keys found in known_hosts files to propagate their coinminer. Additionally, they conduct brute-force attacks against SSH, Redis, and Jenkins services using weak credentials. Network scanning for exposed services like TCP port 7001 (Oracle WebLogic), SSH, and Redis is also a common practice.
Command and Control (C2): Initially, Rocke relied on publicly available platforms such as Pastebin, Gitee, and GitLab to host their initial payloads and C2 infrastructure. However, demonstrating increased sophistication, they transitioned to self-hosted solutions, leveraging domains like lsd.systemten[.]org and update.systemten[.]org. More recently, they’ve adopted DNS text records (accessed via normal DNS queries or DNS-over-HTTPs) for C2 communication, making their infrastructure more resilient to takedowns and harder to detect.
Resource Hijacking: The ultimate goal is Monero cryptojacking. Rocke’s miners create configuration files (e.g., config.json) and execute binaries such as kworkerds or TermsHost.exe. They use the nohup command to run these miners in the background, consuming significant CPU resources. The malware will actively kill any process that uses the CPU heavily to ensure it can utilize 100% of the CPU for efficient Monero mining.
Notable Campaigns
Rocke’s activity first gained significant attention in April 2018 when Cisco Talos reported on campaigns leveraging Git repositories and Apache Struts vulnerabilities for cryptomining. Throughout 2018 and 2019, Rocke engaged in multiple large-scale malicious crypto-mining operations, consistently updating their malware and C2 infrastructure.
Palo Alto Networks’ Unit 42 has extensively tracked Rocke, detailing their cloud-targeted cryptojacking campaigns and their evolution, including the group’s efforts to evade cloud security products. In 2019, Rocke was observed competing with another cryptojacking group, Pacha Group, for control over Linux-based servers in cloud environments, highlighting the competitive nature of illicit resource hijacking. This period also saw Rocke changing its C2 infrastructure from public hosting sites to self-hosted and DNS-based solutions, marking a significant advancement in their operational security.
Associated Malware & Tools
Rocke utilizes a varied and continuously updated toolkit for its operations. Key malware and tools associated with the group include:
- LSD: An evolving malware loader and miner that has incorporated new exploitation capabilities, such as targeting ActiveMQ vulnerabilities.
- Pro-Ocean: A revised and improved version of their cloud-targeted cryptojacking malware, identified in 2021. Pro-Ocean features enhanced rootkit and worm capabilities, making it more evasive and capable of lateral movement through SSH keys and weak passwords.
- Xbash: A Linux-focused ransomware and data destruction tool, sometimes linked to Rocke, although primarily associated with the Iron Cybercrime Group. Xbash demonstrated destructive capabilities akin to NotPetya but often lacked actual data recovery functionality.
- Godlua: A backdoor written in Golang, identified in later stages of Rocke’s evolution.
- Kerberods/Khugepageds: Names given to some of their miner payloads.
- XMRig: A common open-source Monero miner that Rocke deploys on compromised systems.
- libprocesshider: An open-source tool used to hide malicious processes on Linux systems.
- TermsHost.exe & kworkerds: Specific miner binaries identified in different campaigns, often UPX-packed.
- Shell scripts, Python scripts, Golang executables, JavaScript backdoors, ELF and PE miners: A variety of scripts and binaries developed by the group for different stages of their attack chain.
Current Status
Rocke has demonstrated consistent activity and continuous evolution since its initial detection in 2018. Reports from 2019 and 2021 indicate ongoing development of their malware, such as the introduction of the more sophisticated Pro-Ocean with improved rootkit and worm capabilities, and changes to their C2 infrastructure to enhance resilience and stealth. The MITRE ATT&CK entry for Rocke (G0106) was last modified in April 2025, suggesting that the group’s TTPs remain relevant for tracking and defense.
Given their sustained activity, continuous adaptation of tools and techniques to bypass security measures, and persistent focus on financially motivated cryptojacking, Rocke remains an active and evolving threat, particularly for organizations with vulnerable public-facing applications and cloud-based Linux infrastructure.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call