{ "id": "d05a6081-8cb8-4873-9498-b3faa6fc39ea", "created_at": "2026-04-06T00:06:07.807396Z", "updated_at": "2026-04-10T13:12:18.279595Z", "deleted_at": null, "sha1_hash": "5bfa6c81cade4718f48e54c815b58b969684514e", "title": "Rocke: The Champion of Monero Miners", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 595787, "plain_text": "Rocke: The Champion of Monero Miners\r\nBy William Largent\r\nPublished: 2018-08-30 · Archived: 2026-04-02 10:34:33 UTC\r\nThursday, August 30, 2018 11:26\r\nThis post was authored by David Liebenberg.\r\nSummary\r\nCryptocurrency miners are becoming an increasingly significant part of the threat\r\nlandscape. These malicious miners steal CPU cycles from compromised devices to\r\nmine cryptocurrencies and bring in income for the threat actor.\r\nIn this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke's\r\ncampaigns, malware, and infrastructure while uncovering more information about the actor. After months of\r\nresearch, we believe that Rocke is an actor that must be followed, as they continue to add new features to their\r\nmalware and are actively exploring new attack vectors.\r\nIntroduction\r\nTalos has written widely about the issue of cryptomining malware and how\r\norganizations should protect systems against this threat. We continue to actively\r\nresearch developments in this threat through research that includes monitoring\r\ncriminal forums and deploying honeypot systems to attract these threats. It is\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 1 of 10\n\nthrough these intelligence sources that the Chinese-speaking actor which we refer\r\nto as \"Rocke\" came to our attention.\r\nRocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes\r\nGit repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript\r\nbackdoors, as well as ELF and PE miners.\r\nEarly campaigns\r\nThis threat actor initially came to our attention in April 2018, leveraging both\r\nWestern and Chinese Git repositories to deliver malware to honeypot systems\r\nvulnerable to an Apache Struts vulnerability.\r\nSeveral files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user\r\nnamed \"c-999.\" Subsequently, the Gitee user page transitioned to \"c-888.\" Around the same time, we observed\r\nsimilar activity pulling down files from a gitlab.com repository page for a user named \"c-18.\"\r\nThe repositories on both Gitee and GitLab were identical. All the repositories had a folder called \"ss\" that\r\ncontained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety\r\nof actions, including achieving persistence and the execution of an illicit cryptocurrency miner.\r\nOnce the threat actor had compromised a system, they achieved persistence on the device by installing a cron job\r\nthat downloads and executes a file \"logo.jpg\" from \"3389[.]space.\" This file is a shell script which, in turn,\r\ndownloads mining executables from the threat actor's Git repositories and saves them under the filename \"java.\"\r\nThe exact file downloaded depends on the victim's system architecture. Similarly, the system architecture\r\ndetermines if \"h32\" or \"h64\" is used to invoke \"java.\"\r\nAlthough we first observed this actor exploiting vulnerabilities in Apache Struts, we've also observed what we\r\nbelieve to the same individual exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also\r\nexploiting CVE-2017-3066, a critical Java deserialization vulnerability in the Adobe ColdFusion platform.\r\nRecent campaign\r\nIn late July, we became aware that the same actor was engaged in another similar\r\ncampaign. Through our investigation into this new campaign, we were able to\r\nuncover more details about the actor.\r\nWe observed a wget request from our Struts2 honeypot for a file named \"0720.bin\" located on\r\n118[.]24[.]150[.]172:10555. We visited this IP and found it was an open HFS hosting \"0720.bin\" along with 10\r\nadditional files: \"3307.bin,\" \"a7,\" \"bashf,\" \"bashg,\" \"config.json,\" \"lowerv2.sh,\" \"pools.txt,\" \"r88.sh,\" \"rootv2.sh\"\r\nand \"TermsHost.exe.\" We set about examining these files.\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 2 of 10\n\nScreenshot of HFS system\r\nWe had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially\r\na scan for Oracle WebLogic servers, which listens on TCP port 7001 by default.\r\nBoth \"0720.bin\" and \"3307.bin\" are similar ELF files of similar size (84.19KB) that reach out to\r\n118[.]24[.]150[.]172, and were marked clean in VirusTotal at the time of discovery. Morpheus Labs described a\r\nsimilar file that connects to the same IP address, which could open a shell on the victim's machine if a password-verified instruction was issued from the C2. In both our samples, as well as the ones that Morpheus Labs\r\ndescribed, the hard-coded password was not only identical, but also located at the same offset.\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 3 of 10\n\nHard-coded password\r\n\"A7\" is a shell script that kills a variety of processes related to other cryptomining malware (including those with\r\nnames matching popular mining malware such as \"cranberry,\" \"yam,\" or \"kworker\"), as well as mining in general\r\n(such as \"minerd\" and \"cryptonight\"). It detects and uninstalls various Chinese AV, and also downloads and\r\nextracts a tar.gz file from blog[.]sydwzl[.]cn, which also resolves to 118[.]24[.]150[.]172. The script downloads a\r\nfile from GitHub called \"libprocesshider,\" which hides a file called \"x7\" using the ID preloader. The script looks\r\nfor IP addresses in known_hosts and attempts to SSH into them, before downloading \"a7\" again from the actor's\r\nHFS at 118[.]24[.]150[.]172, and execute it.\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 4 of 10\n\nExtract of Source Code of \"a7\"\r\n\"Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as\r\nxmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This is why we have named the\r\nactor \"Rocke\" (note that for MinerGate, an email can be used in place of a Monero wallet number — it's simply\r\nthe login email for the MinerGate platform). \"Pools.txt\" appears to be a config file for XMR-stak, an open-source\r\nuniversal Stratum pool miner that mines Monero, Aeon and more. This configuration file contains the same actor\r\npool and wallet information as the first.\r\n\"Bashf\" is a variant of XMR-stak while \"bashg\" is a variant of XMRig.\r\n\"Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware\r\ncomponents \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner\r\nfrom 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk.\r\n\"R88.sh\" is a shell script that installs a cron job and attempts to download \"lowerv2.sh\" or \"rootv2.sh.\"\r\n\"TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent\r\nMiner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner\r\npromotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner\r\ninto \"Windows processes to bypass firewalls.\" The sample grabs the config file \"xmr.txt,\" which contains the same\r\nconfiguration information as the previous files, from Rocke's command and control (C2) server hosted on\r\nsydwzl[.]cn. The sample then injects code into notepad.exe, which then proceeds to communicate with the\r\nMinerGate pool. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 5 of 10\n\nFolder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing\r\nsoftware, which would allow the attacker to have greater control over the infected system.\r\nThe payload appears to be similar to one used by the Iron Cybercrime Group, as reported by cybersecurity firm\r\nIntezer in May. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure. So, while\r\nwe can asses with high confidence that the payloads share some code base, we are still unsure of the exact\r\nrelationship between Rocke and Iron Cybercrime Group.\r\nRocke has been observed seeking access to cloud storage services, as well as obtaining manuals for programming\r\nin the Chinese Easy language.\r\nThe majority of websites registered to Rocke list Jiangxi Province addresses for their registration. Some of these\r\nwebsites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food. We had had additional\r\nindications that Rocke is from Jiangxi based on their GitHub (see below). It is possible that the \"jx\" in\r\njxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi\r\nProvince.\r\nThe GitHub\r\nWe identified a GitHub page apparently associated with Rocke. The GitHub page lists Rocke as\r\nbeing affiliated with Jiangxi Normal University. In one repository folder, we found several of the\r\nsame files which were found on the HFS system, including several of the shell scripts with their\r\nwallet information included, as well as variants of the miner.\r\nWe found additional repositories for the same account. Within these repositories, we found scripts similar to those\r\nfound in previous campaigns, with the exception that they reached out to sydwzl[.]cn in addition to the previously\r\nobserved domain 3389[.]space. These findings support the link between Rocke and the activity we previously\r\nobserved in April and May.\r\nWe also found an additional repository through Rocke's page that's hosting nearly identical content, but with a\r\ndifferent C2. However, we are unable to determine how that page is being used or who is using it.\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 6 of 10\n\nThe files within their various repositories show that Rocke has become interested in browser-based JavaScript\r\nmining through the tool CryptoNote, as well as browser-based exploitation through the Browser Exploitation\r\nFramework. It appears that they are relying on fake Google Chrome alerts, fake apps, and fake Adobe Flash\r\nupdates to social engineer users into downloading malicious payloads.\r\nOne of the JavaScript files in the repository, named \"command.js,\" uses hidden IFrames to deliver payloads hosted\r\non CloudFront domains. The payload that we were able to obtain was UPX packed and behaved very similarly to\r\nthe file \"dDNLQrsBUE.url\" dropped by \"TermsHost.exe.\"\r\nRocke has also shown interest in other security-related repositories. They have forked repositories with exploit\r\ninformation, including those related to Apache Struts 2, JBoss and Shadow Brokers, as well as more general-use\r\ntools such as masscan, proxy tools and brute forcers.\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 7 of 10\n\nDespite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity\r\namong cybercriminals shows no signs of abating. Rocke's various campaigns show the variety of infection\r\nvectors, malware, and infrastructure that these criminals will employ to achieve their goals.\r\nIOCs:\r\nEarlier campaign:\r\nAttacking IPs targeting Struts:\r\n52[.]167[.]219[.]168: Attacking IP using repo at gitlab\r\n120[.]55[.]226[.]24: Attacking IP using repo at gitee\r\nAttacking IP targeting WebLogic:\r\n27[.]193[.]180[.]224\r\nAttacking IPs targeting ColdFusion:\r\n112[.]226[.]250[.]77\r\n27[.]210[.]170[.]197\r\n112[.]226[.]74[.]162\r\nDomains\r\n3389[.]space\r\nURLs\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/a\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/config[.]json\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/dir[.]dir\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/h32\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/upd\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/x86_64\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/h64\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/x\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/run\r\nhxxps://gitee[.]com/c-999/ss/raw/master/ss/logo[.]jpg\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/a\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/cron[.]d\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/dir[.]dir\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/x\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/x86_64\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/run\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/upd\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 8 of 10\n\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/upd\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/x\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/cron[.]d\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/h64\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/a\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/config[.]json\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/config[.]json\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/run\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/h32\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/dir[.]dir\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/x86_64\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/h32\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/h64\r\nhxxp://93[.]174[.]93[.]149/[.]xxxzlol[.]tar[.]gz\r\nhxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg\r\nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/logo[.]jpg\r\nHashes:\r\nLogo.jpg: ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a\r\na: 6ec8201ef8652f7a9833e216b5ece7ebbf70380ebd367e3385b1c0d4a43972fb\r\ncron.d: f6a150acfa6ec9d73fdecae27069026ecf2d833eac89976289d6fa15713a84fe\r\ndir.dir: a20d61c3d4e45413b001340afb4f98533d73e80f3b47daec42435789d12e4027\r\nh32: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161\r\nh64: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf\r\nlogo.jpg (from gitee[.]com): f1f041c61e3086da8157745ee01c280a8238a379ca5b4cdbb25c5b746e490a9b\r\nlogo.jpg (from gitlab[.]com): ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a\r\nrun: 0c358d826c4a32a8c48ce88eb073f505b555fc62bca6015f5270425c58a0d1c5\r\nupd: 187d06f1e6020b6787264e2e700c46c463a7818f07db0b051687f3cba65dbe0b\r\nx (32-bit miner): 6e80a9d843faf27e239b1a767d29c7443972be1ddf5ff5f5f9fc9a2b55a161f5\r\nx86_64 (64-bit miner): 2ad07f8d1985f00cd05dafacbe5b6a5b1e87a78f8ae8ecdf91c776651c88a612\r\nMore recent campaign:\r\nIPs\r\n123[.]249[.]9[.]149: Issues get request for 0720.bin\r\n118[.]24[.]150[.]172: Rocke's HFS, also resolves to C2 sydwzl[.]cn\r\nDomains:\r\nsydwzl[.]cn\r\nblockbitcoin[.]com: Reached out to by Install.exe\r\ndazqc4f140wtl[.]cloudfront[.]net: file server\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 9 of 10\n\n3g2upl4pq6kufc4m[.]tk: file server\r\nd3goboxon32grk2l[.]tk: file server\r\nenjoytopic[.]tk: file server\r\nrealtimenews[.]tk: file server\r\n8282[.]space: older C2\r\nDomains registered to Rocke (not all are necessarily malicious):\r\n5-xun[.]com\r\n88180585[.]com\r\nfirstomato[.]com\r\njxtiewei[.]com\r\nncyypx[.]net\r\nURLs\r\nhxxp://d20blzxlz9ydha[.]cloudfront[.]net/Install.exe\r\nhxxp://www[.]amazon[.]com:80/N4215/adj/amzn.us.sr.aps?sz=160x600\u0026oe=oe=ISO-8859-\r\n1;\u0026sn=12275\u0026s=3717\u0026dc_ref=http%3A%2F%2Fwww.amazon.com\r\nhxxp://www[.]amazon[.]com:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books\r\nHashes\r\n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b 0720.bin\r\n38066751cb6c39691904ffbef86fe3bdfa737e4ba64add4dd90358245fa2b775 3307.bin\r\n89b3463664ff13ea77256094844c9cf69d3e408d3daf9ffad3aa18af39bab410 TermsHost.exe\r\nd341e3a9133e534ca35d5ccc54b8a79f93ff0c917790e7d5f73fedaa480a6b93 a7\r\n442e4a8d35f9de21d5cbd9a695a24b9ac8120e548119c7f9f881ee16ad3761e6 bashf\r\n7674e0b69d848e0b9ff8b82df8671f9889f33ab1a664f299bcce13744e08954c bashg\r\n7051c9af966d1c55a4096e2af2e6670d4fc75e00b2b396921a79549fb16d03d4 lowerv2.sh\r\n2f5bf7f1ea7a84828aa70f1140774f3d4ce9985d05a676c8535420232e2af87e pools.txt\r\nba29d8a259d33d483833387fad9c7231fbb3beb9f4e0603b204523607c622a03 config.json\r\n7c2dbc0d74e01a5e7c13b4a41d3a1f7564c165bd532e4473acea6f46405d0889 r88.sh\r\nd44e767132d68fdb07c23c848ff8c28efe19d1b7c070161b7bd6c0ccfc858750 rootv2.sh\r\n35cb971daafd368b71ad843a4e0b81c80225ec20d7679cfbf78e628ebcada542 Install.exe\r\n654ec27ea99c44edc03f1f3971d2a898b9f1441de156832d1507590a47b41190 ZZYO\r\nF808A42B10CF55603389945A549CE45EDC6A04562196D14F7489AF04688F12BC XbashY\r\n725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct\r\nd7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png\r\nece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 hidden executable in m.png\r\nSource: https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nhttps://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html\r\nPage 10 of 10\n\nuncover more We observed details about a wget request from the actor. our Struts2 honeypot for a file named \"0720.bin\" located on \n118[.]24[.]150[.]172:10555. We visited this IP and found it was an open HFS hosting \"0720.bin\" along with 10\nadditional files: \"3307.bin,\" \"a7,\" \"bashf,\" \"bashg,\" \"config.json,\" \"lowerv2.sh,\" \"pools.txt,\" \"r88.sh,\" \"rootv2.sh\"\nand \"TermsHost.exe.\" We set about examining these files. \n Page 2 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" ], "report_names": [ "rocke-champion-of-monero-miners.html" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433967, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5bfa6c81cade4718f48e54c815b58b969684514e.pdf", "text": "https://archive.orkl.eu/5bfa6c81cade4718f48e54c815b58b969684514e.txt", "img": "https://archive.orkl.eu/5bfa6c81cade4718f48e54c815b58b969684514e.jpg" } }