{
	"id": "90d99123-81b8-4f6c-a6ad-1813fa38adef",
	"created_at": "2026-04-06T00:15:39.017497Z",
	"updated_at": "2026-04-10T03:34:57.697452Z",
	"deleted_at": null,
	"sha1_hash": "4928fa0de00872d0114965c35883fc447edbbb74",
	"title": "Rocke, Iron Group - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62395,
	"plain_text": "Rocke, Iron Group - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 18:12:47 UTC\r\nHome \u003e List all groups \u003e Rocke, Iron Group\r\n Other threat group: Rocke, Iron Group\r\nNames\r\nRocke (Talos)\r\nIron Group (Intezer)\r\nAged Libra (Palo Alto)\r\nG0106 (MITRE)\r\nCountry China\r\nMotivation Financial gain\r\nFirst seen 2018\r\nDescription\r\n(Talos) This threat actor initially came to our attention in April 2018, leveraging both\r\nWestern and Chinese Git repositories to deliver malware to honeypot systems\r\nvulnerable to an Apache Struts vulnerability.\r\nIn late July, we became aware that the same actor was engaged in another similar\r\ncampaign. Through our investigation into this new campaign, we were able to\r\nuncover more details about the actor.\r\nObserved\r\nTools used Godlua, Kerberods, LSD, Pro-Ocean, Xbash and several 0-day vulnerabilities.\r\nOperations performed\r\nApr 2018\r\nThis threat actor initially came to our attention in April 2018,\r\nleveraging both Western and Chinese Git repositories to deliver\r\nmalware to honeypot systems vulnerable to an Apache Struts\r\nvulnerability.\r\n\u003chttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\u003e\r\nDec 2018 By analyzing NetFlow data from December 2018 to June 16, 2019,\r\nwe found that 28.1% of the cloud environments we surveyed had\r\nat least one fully established network connection with at least one\r\nknown Rocke command-and-control (C2) domain. Several of\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bacc587d-719b-4555-bc37-db7a9455dc6a\r\nPage 1 of 3\n\nthose organizations maintained near daily connections.\nMeanwhile, 20% of the organizations maintained hourly heartbeats\nconsistent with Rocke tactics, techniques, and procedures (TTPs).\nJan 2019\nPalo Alto Networks Unit 42 recently captured and investigated\nnew samples of the Linux coin mining malware used by the Rocke\ngroup. The family was suspected to be developed by the Iron\ncybercrime group and it’s also associated with the Xbash malware\nwe reported on in September of 2018. The threat actor Rocke was\noriginally revealed by Talos in August of 2018 and many\nremarkable behaviors were disclosed in their blog post. The\nsamples described in this report were collected in October of 2018,\nand since that time the command and control servers they use have\nbeen shut down.\nMay 2019\nPacha Group Competing against Rocke Group for Cryptocurrency\nMining Foothold on the Cloud\nMay 2019\nOver the past month we have seen new features constantly being\nadded to the malware. For instance, in their latest major update,\nthey have added a function that exploits systems running the\nsoftware development automation server Jenkins to increase their\nchance of infecting more systems, thereby generating more profits.\nIn addition, they have also evolved their malware by adding new\nattack stages, as well as new redundancies in its multi-component\nexecution to make it more dynamic and flexible.\nSummer 2019\nRocke, a China-based cryptomining threat actor, has changed its\nCommand and Control (C2) infrastructure away from Pastebin to a\nself-hosted solution during the summer of 2019.\nJan 2021\nPro-Ocean: Rocke Group’s New Cryptojacking Malware\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bacc587d-719b-4555-bc37-db7a9455dc6a\nPage 2 of 3\n\nApr 2021\nRocke Group Actively Targeting the Cloud: Wants Your SSH Keys\nInformation MITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bacc587d-719b-4555-bc37-db7a9455dc6a\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bacc587d-719b-4555-bc37-db7a9455dc6a\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bacc587d-719b-4555-bc37-db7a9455dc6a"
	],
	"report_names": [
		"showcard.cgi?u=bacc587d-719b-4555-bc37-db7a9455dc6a"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5b9d2809-47b7-46a8-ab2d-9687537f1bc7",
			"created_at": "2023-01-06T13:46:38.804869Z",
			"updated_at": "2026-04-10T02:00:03.107112Z",
			"deleted_at": null,
			"main_name": "Iron Group",
			"aliases": [
				"Iron Cyber Group"
			],
			"source_name": "MISPGALAXY:Iron Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18bcbaa6-8e7b-43c4-9db7-8b0b315ee5a3",
			"created_at": "2023-01-06T13:46:39.024086Z",
			"updated_at": "2026-04-10T02:00:03.184974Z",
			"deleted_at": null,
			"main_name": "Pacha Group",
			"aliases": [],
			"source_name": "MISPGALAXY:Pacha Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "484c5fed-029e-4504-b75a-bbdbc9460595",
			"created_at": "2022-10-25T16:07:24.529893Z",
			"updated_at": "2026-04-10T02:00:05.02425Z",
			"deleted_at": null,
			"main_name": "Pacha Group",
			"aliases": [],
			"source_name": "ETDA:Pacha Group",
			"tools": [
				"Antd",
				"DDG",
				"GreedyAntd",
				"Korkerds",
				"XMRig"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434539,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4928fa0de00872d0114965c35883fc447edbbb74.pdf",
		"text": "https://archive.orkl.eu/4928fa0de00872d0114965c35883fc447edbbb74.txt",
		"img": "https://archive.orkl.eu/4928fa0de00872d0114965c35883fc447edbbb74.jpg"
	}
}