{ "id": "5ad76429-661e-456d-8d69-bda07443e9b1", "created_at": "2026-04-06T00:21:50.23929Z", "updated_at": "2026-04-10T03:34:57.709217Z", "deleted_at": null, "sha1_hash": "4d59fa33e1d603576324f2a5f4a6a6e5c663f29c", "title": "Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1785660, "plain_text": "Technical Analysis: Pacha Group Competing against Rocke Group\r\nfor Cryptocurrency Mining Foothold on the Cloud\r\nBy Ignacio Sanmillan\r\nPublished: 2019-05-09 · Archived: 2026-04-02 10:49:59 UTC\r\nPacha Group is a crypto-mining threat actor we at Intezer discovered and profiled in a blog post published on\r\nFebruary 28, 2019. This threat actor targeted Linux servers dating back to September 2018 and implemented\r\nadvanced evasion and persistence techniques.\r\nWe have continued to monitor this threat actor and new findings show that Pacha Group is also targeting cloud-based environments and conducting great efforts to disrupt other crypto-mining groups, namely Rocke Group who\r\nis also known to target cloud environments.\r\nWe believe that these findings are relevant within the context of bringing awareness about cloud-native threats and\r\nour research may imply that cloud environments are increasingly becoming a common target for adversaries.\r\nTechnical Analysis\r\nIn monitoring Pacha Group we have identified new, undetected Linux.GreedyAntd variants that share code with\r\nprevious variants.\r\nDespite sharing nearly 30% of code with previous variants, detection rates of the new Pacha Group variants are\r\nlow:\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 1 of 11\n\nThe main malware infrastructure appears to be identical to previous Pacha Group campaigns, although there is a\r\ndistinguishable effort to detect and mitigate Rocke Group’s implants. Rocke Group was first reported by Cisco\r\nTalos researchers and has deployed sophisticated crypto-mining campaigns in Linux servers and cloud-based\r\nenvironments as reported by Palo Alto Unit 42. The following image is a blacklist of miners in which\r\nLinux.GreedyAntd searches to eradicate. We have recognized several file names in this blacklist known to be\r\nused for Rocke Group’s implants:\r\nFurthermore, there are other strings within this file path blacklist which are used to search for and disable cloud\r\nprotection solutions, such as Alibaba Server Guard Agent. Strings of malware implants known to have abused\r\nthe Atlassian vulnerability were also found. Rocke Group is known to hunt for similar security products and to\r\nhave abused the same vulnerability.\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 2 of 11\n\nAnother interesting update in Pacha Group’s infrastructure in comparison to previous campaigns is that further\r\nimplants would only be able to be downloaded from Pacha Group’s servers if the HTTP GET request was\r\ncompleted with a specific User-Agent. In the following screenshot we can see how files can not be downloaded\r\nunless the correct User-Agent is used:\r\nIn addition, Pacha Group’s component update seems to include a lightweight user-mode rootkit known as\r\nLibprocesshider, which is an open source project hosted on GitHub and has also been used by Rocke Group.\r\nThe malware updates /etc/ld.preload to include the path of the dropped library masquerading libconv.so, a\r\nunicode conversion library.\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 3 of 11\n\nThis shared object will export customized versions of readdir and readdir64 functions that will attempt to hide a\r\nprocess name from /proc filesystem of one of the main components of the malware’s infrastructure, in charge to\r\ndownload further implants in intervals along with enforcing process, file path and IP blacklisting:\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 4 of 11\n\nAlong with process and file path blacklisting measures seen in previous variants, we also observed that newer\r\nvariants implement IP blacklisting using an interesting technique.\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 5 of 11\n\nRight after process and file path black listing has been accomplished, we find the following code:\r\nEach of the IPs in the blacklist IP table is decoded and then added to the system routing table with host scope via\r\nioctl.\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 6 of 11\n\nThis is more conveniently shown by observing the following system call trace:\r\nWhen we check the routing table of a compromised system we see the following:\r\nEach of the decoded IPs have been added to the routing table with host scope. This implies that when any of these\r\nIPs will be requested, each request will be routed back to the host to be resolved instead of redirecting them to the\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 7 of 11\n\ngateway, causing a failure in the routing process.\r\nIn the following screenshot we can see the effect of this methodology by using the ping utility:\r\nAfter analyzing the IP blacklist we discovered that some of these IPs, even though they may not necessarily be\r\nmalicious, are known to have been used by Rocke Group in the past. As an example, systemten.org is in this\r\nblacklist and it is known that Rocke Group has used this domain for their crypto-mining operations. The\r\nfollowing are some domains that correspond to their hardcoded IPs in Linux.GreedyAntd’s blacklist that have\r\nRocke Group correlations:\r\nConclusion\r\nWe have presented evidence that Pacha Group is targeting cloud-based environments and being especially\r\naggressive towards Rocke Group. We have based this conclusion on the process blacklist used by Pacha Group\r\nand the newly added IP blacklist which contains Rocke Group correlated artifacts.\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 8 of 11\n\nWe have also provided a YARA rule in order to detect Pacha Group’s Linux.GreedyAntd implants based on\r\nreused code among the implants.\r\nFor additional recommendations on how to mitigate this threat, please refer to our non-technical blog post on this\r\nsubject: https://intezer.com//blog-competition-for-cryptocurrency-mining-foothold-on-the-cloud.\r\nCloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux\r\nservers. Unfortunately the detection rates of Linux-based malware remain low and the security community needs\r\nmore awareness in order to more effectively mitigate these threats.\r\nIOCs\r\n195.154.187[.]169\r\n165.227.140[.]184\r\nf46a9d2c3c9bfcc409534e0856f4614d6b42e792134dcf0f40df7295a777c879\r\nd2e373c1341a28e18158272208a15decfa397640b6092b56158e0f52e4ff73a4\r\nc098d5aeef316c3564b0b40a8a102147dae9c606fa92a2e2f0ad5c94cfe30222\r\n42612f41befc57619646da5e91e7758dcc83cbaafbe5fdfa19d9f43a71f2504f\r\nce10e7a0fb517309b1e1141b44d3f9f7759e0f8889c0392774a5869f41006a3f\r\nd94a6537adcea2f8ef3ed5ed41a548bc2b26b3acdeca9aaf6da4c933e7f47174\r\nf83d75ab09634a7b818ef87c6509cca2c6f26f5f65b8d3448ebc86b52be62253\r\ne5f6fbeb3981c9dfa126dc0a71a0aa41b56a09a89228659a7ea5f32aff4b2058\r\nGreedyAntd Embedded IP Blacklist\r\nThe following are IPs that the Pacha Group attempts to block to prevent operation of other crypto-mining implants\r\n(notice not to block these IPs. See the IPs to block in the above IOCs section):\r\n139.99.120[.]73\r\n47.95.85[.]22\r\n62.210.75[.]99\r\n113.55.8[.]24\r\n62.210.75[.]99\r\n42.56.76[.]104\r\n198.204.231[.]250\r\n47.90.213[.]21\r\n116.62.232[.]226\r\n134.209.104[.]20\r\n198.12.156[.]218\r\n207.148.76[.]229\r\n188.165.254[.]85\r\n58.56.187[.]66\r\n89.35.39[.]78\r\n37.139.22[.]136\r\n37.44.212[.]223\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 9 of 11\n\n54.36.137[.]146\r\n139.99.120[.]50\r\n37.120.131[.]220\r\n104.20.209[.]21\r\n198.12.156[.]218\r\n34.196.173[.]143\r\n34.193.88[.]221\r\n35.168.52[.]211\r\n104.248.4[.]162\r\n130.61.54[.]136\r\n139.99.120[.]50\r\n198.12.156[.]218\r\n166.62.38[.]167\r\n185.193.125[.]146\r\n132.148.148[.]79\r\n188.165.254[.]85\r\n104.20.208[.]21\r\n37.187.95[.]110\r\n158.69.25[.]62\r\n104.31.93[.]26\r\n104.25.140[.]10\r\n60.191.25[.]101\r\n104.248.53[.]213\r\n60.191.13[.]119\r\n104.130.210[.]206\r\n193.56.28[.]207\r\n37.187.95[.]110\r\n89.35.39[.]78\r\n81.4.122[.]134\r\n37.44.212[.]223\r\n148.251.133[.]246\r\n52.41.214[.]241\r\n52.25.124[.]181\r\n54.68.226[.]153\r\n136.243.89[.]164\r\n104.20.209[.]21\r\n176.9.2[.]144\r\n37.59.43[.]136\r\n78.46.89[.]102\r\n37.59.45[.]174\r\n91.121.2[.]76\r\n176.9.53[.]68\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 10 of 11\n\n37.59.55[.]60\r\n178.63.48[.]196\r\n37.187.154[.]79\r\n37.59.44[.]93\r\n78.46.91[.]134\r\n37.59.54[.]205\r\n23.175.0[.]142\r\n104.140.244[.]186\r\n136.243.102[.]157\r\n5.254.96[.]150\r\n51.15.56[.]161\r\nSource: https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nhttps://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" ], "report_names": [ "blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "18bcbaa6-8e7b-43c4-9db7-8b0b315ee5a3", "created_at": "2023-01-06T13:46:39.024086Z", "updated_at": "2026-04-10T02:00:03.184974Z", "deleted_at": null, "main_name": "Pacha Group", "aliases": [], "source_name": "MISPGALAXY:Pacha Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "484c5fed-029e-4504-b75a-bbdbc9460595", "created_at": "2022-10-25T16:07:24.529893Z", "updated_at": "2026-04-10T02:00:05.02425Z", "deleted_at": null, "main_name": "Pacha Group", "aliases": [], "source_name": "ETDA:Pacha Group", "tools": [ "Antd", "DDG", "GreedyAntd", "Korkerds", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434910, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d59fa33e1d603576324f2a5f4a6a6e5c663f29c.pdf", "text": "https://archive.orkl.eu/4d59fa33e1d603576324f2a5f4a6a6e5c663f29c.txt", "img": "https://archive.orkl.eu/4d59fa33e1d603576324f2a5f4a6a6e5c663f29c.jpg" } }