{ "id": "0e5a0004-5056-4d06-93c1-2d74a993070b", "created_at": "2026-04-06T00:13:07.070913Z", "updated_at": "2026-04-10T03:28:24.226319Z", "deleted_at": null, "sha1_hash": "792c873b87d42b65631625e67338e7a1f53e94a2", "title": "Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now More Difficult to Detect", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3154984, "plain_text": "Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now\r\nMore Difficult to Detect\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 22:46:18 UTC\r\nAll Posts\r\n1\r\nmin read\r\nChina-based cryptomining threat actor Rocke has changed its Command and Control (C2) infrastructure away\r\nfrom Pastebin to a self-hosted solution.\r\nPublished on\r\nSummaryIntroductionSummer 2019 activitySeptember and DoHConclusionIOCsMITRE ATT\u0026CK™\r\nTechniquesEndnotes\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 1 of 10\n\nSummary\r\nRocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away\r\nfrom Pastebin to a self-hosted solution during the summer of 2019. The setup scripts were hosted on the domains\r\n“lsd.systemten[.]org” and “update.systemten[.]org” as pastes. In September 2019, the actor moved away from\r\nhosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records.\r\nThese records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails. In\r\naddition to the C2 change, functionality was also added to their LSD malware to exploit ActiveMQ servers\r\nvulnerable to CVE-2016-3088.\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 2 of 10\n\nThe change in technique observed by Rocke is a step forward in regards to the threat actor’s overall sophistication.\r\nBy moving from Pastebin to self-hosted and DNS records, the actor is better protected against potential\r\ntakedowns, and its malicious operations may become more difficult to detect. As of this writing, Rocke is\r\nprimarily known for cryptomining, however, it is possible for the actor to change payloads to something more\r\ndamaging if Rocke wished to try to make illegal funds with a different technique. Therefore, it is paramount to\r\ntake steps to mitigate the possibility of Rocke-styled campaigns.\r\nIntroduction\r\nRocke is primarily focusing on illicit cryptomining that is conducted on compromised machines. The group was\r\nfirst reported by Cisco Talos[1] in August 2018, and Palo Alto’s Unit 42 has produced numerous reports[2-4] on the\r\ngroup since then. Anomali’s Threat Research Team has been tracking the actor’s activity since March of 2019. Our\r\nreport in March described how the actor started to use a malware written in Go (Golang) to set up and monitor the\r\nmining on the infected machine.[5] We have been observing the threat actor continuing to use the same malware\r\nthroughout the year. In April 2019, Confluence users posted reports on Atlassian’s support forum reporting\r\ninfections of cryptominer.\r\n[6]\r\n Rocke utilized CVE-2019-3396, which was disclosed the month before, to install its\r\nmalware on vulnerable Confluence servers. The activity of the group continued for a few months with only minor\r\nchanges to their Tactics, Techniques, and Procedures (TTPs).\r\nSummer 2019 activity\r\nIn June, Rocke shifted its technique from using “Pastebin” to self-hosting the initial setup script. This was\r\nperformed by using subdomains on the domain “systemten[.]org”, the domain name that is pointing to the mining\r\npool/proxy used by the threat actor. Two of these subdomains are “lsd.systemten[.]org” and\r\n“update.systemten[.]org”. On July 29, 2019, both of these subdomains saw a huge spike in requests, according to\r\ndata from Cisco Umbrella. The “update” subdomain was still being requested until September 17, 2019, when it\r\nstopped abruptly. Figures 1 and 2 below are showing both of these events. The “lsd” subdomain is still being\r\nrequested as of writing.\r\nData from Cisco Umbrella showing queries for “lsd.systemten[.]org” for a few days in July. A spike of over\r\n20,000 queries per hour were recorded on July 29, 2019.\r\nFigure 1 - Data from Cisco Umbrella showing queries for “lsd.systemten[.]org” for a few days in July. A spike of\r\nover 20,000 queries per hour were recorded on July 29, 2019.\r\nData from Cisco Umbrella showing how queries for “update.systemten[.]org” stopped on September 17, 2019.\r\nFigure 2 - Data from Cisco Umbrella showing how queries for “update.systemten[.]org” stopped on September\r\n17, 2019.\r\nThe two subdomains shown above were substituting the actor’s use of Pastebin. The “update” subdomain returns\r\nthe current version string. From it, the malware determines if it needs to download a newer version. The “lsd”\r\nsubdomain serves the setup bash script, which is used to set up some persistence via cron jobs and download the\r\nlatest version of the malware. \r\nChanges to the LSD malware\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 3 of 10\n\nThe “LSD” malware has had some updates since it was first reported on by Anomali Threat Research team in\r\nMarch 2019. A reconstruction of the source code layout is shown below:\r\n Package github.com/hippies/LSD/LSDB: /root/go/src/github.com/hippies/LSD/LSDB File: init Lines\r\nOne new functionality is the addition of the “StartHttpServer” function. The malware starts a web server that is\r\nlistening on localhost and TCP port 65533. This serves as a mutex to ensure only one instance of the malware is\r\nrunning because only one application can bind to a specific port. In Figure 3 below it can be seen that the malware\r\ntries to connect to this port. If it succeeds, it knows another version is running and it exits. Otherwise, it continues\r\nwith setting up the machine for mining.\r\nAssembly snippet showing the malware connecting to localhost on port 65533 over TCP.\r\nFigure 3 - Assembly snippet showing the malware connecting to localhost on port 65533 over TCP.\r\nNew Exploit Added\r\nThe first iteration of the malware, would try to gain access to other machines via SSH and Redis. This was\r\nperformed by using weak credentials. Later during the spring, functionality for exploiting Jenkins servers was also\r\nadded. In this phase, support for CVE-2016-3088 exploitation was the important addition. CVE-2016-3088 is a\r\nvulnerability in ActiveMQ that can allow uploading of an arbitrary file. In Figure 4 it can be seen that the malware\r\ntries to upload a cron job to the following locations: “/etc/cron.d/root”, “/var/spool/cron/root”, and\r\n“/var/spool/cron/crontabs/root”.\r\nThe LSD malware tries to add crontab files to “/etc/cron.d/root”, “/var/spool/cron/root”, and\r\n“/var/spool/cron/crontabs/root”.\r\nFigure 4 - The LSD malware tries to add crontab files to “/etc/cron.d/root”, “/var/spool/cron/root”, and\r\n“/var/spool/cron/crontabs/root”.\r\nThe exploit is performed by using two HTTP requests. First, the file is uploaded via a “PUT” request as can be\r\nseen in Figure 5. The file is then moved to the location for a crontab file via a “MOVE” request, shown in Figure\r\n6.\r\nLSD malware constructing a “PUT” request to upload the crontab file to “/fileserver/go.txt” on the ActiveMQ\r\nhost.\r\nFigure 5 - LSD malware constructing a “PUT” request to upload the crontab file to “/fileserver/go.txt” on the\r\nActiveMQ host.\r\nThe malware constructs a “MOVE” request to move the crontab file from “/fileserver/go.txt” to one of the\r\nthree crontab locations.\r\nFigure 6 - The malware constructs a “MOVE” request to move the crontab file from “/fileserver/go.txt” to one of\r\nthe three crontab locations.\r\nKing of the Hill\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 4 of 10\n\nThe malware tries to ensure only the threat actor’s miner is running on the infected machine. It does so by killing\r\nany other processes with high CPU usage. The LSD malware identifies its miner via the MD5 hash of the file to\r\nmake sure it doesn’t kill its miner. In Figure 7 below it can be seen that the malware compares the MD5 hash to\r\ntwo hardcoded values. These hashes match the hashes of the 32-bit and the 64-bit version of the miner dropped by\r\nthe malware.\r\nScreenshot showing the LSD malware comparing the MD5 hashes against two hardcoded values. The\r\nhardcoded values matches the hashes for the 32-bit and the 64-bit miner.\r\nFigure 7 - Screenshot showing the LSD malware comparing the MD5 hashes against two hardcoded values. The\r\nhardcoded values matches the hashes for the 32-bit and the 64-bit miner.\r\nAfter the malware knows which process to ignore, it will iterate through all the running processes and capture the\r\nCPU usage. If it’s above the threshold, the process is killed as can be seen in Figure 8.\r\nThe LSD malware gets the CPU usage of all running processes and kills all processes with high CPU usage.\r\nFigure 8 - The LSD malware gets the CPU usage of all running processes and kills all processes with high CPU\r\nusage.\r\nSeptember and DoH\r\nIn September 2019, Rocke pushed a new version of the LSD malware. The malware maintains the functionality\r\nfrom the samples seen during the summer of 2019. A reconstruction of the source code layout is shown below:\r\n Package github.com/hippies/LSD/LSDB: /root/go/src/github.com/hippies/LSD/LSDB File: init Lines\r\nThe primary change is in the C2 functionality. Instead of using the domain “systemten[.]org” the threat actor has\r\nmoved over to the domain “iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com”. According to Cisco Umbrella data, the\r\n“update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com” subdomain, shown in Figure 9, started to be queried on\r\nSeptember 17. This is the same day as when “update.systemten[.]org” stopped being queried.\r\nDNS queries for “update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com” in September 2019. The requests are\r\naround 75 requests per hour.\r\nFigure 9 - DNS queries for “update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com” in September 2019. The requests\r\nare around 75 requests per hour.\r\nInstead of hosting the setup script and update version on a dedicated host, the threat actor is using TXT records. In\r\nFigure 10 it can be seen that the malware tries to lookup the TXT record for\r\n“update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com”. The response is encrypted with AES-128.\r\nMalware uses Go standard library package “net” to perform a lookup of the TXT record\r\n“update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com”.\r\nFigure 10 - Malware uses Go standard library package “net” to perform a lookup of the TXT record\r\n“update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com”.\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 5 of 10\n\nIf the lookup fails, the malware tries to perform the same lookup via a DoH request, shown in Figure 11. The\r\nserver queried for the DoH request is “cloudflare-dns.com”.\r\nLSD malware creating a DoH request for TXT records.\r\nFigure 11 - LSD malware creating a DoH request for TXT records.\r\nThe TXT record values are encrypted with 128-bit AES in cipher-block-chaining (CBC) mode and base64\r\nencoded. The key is derived from the TXT record. Figure 12 shows a summary of the function used to derive the\r\ndecryption key. The record, for example, “update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com” is hashed with two\r\nrounds of MD5. The 128-bit hash digest is passed to the Go standard library function for generating a new AES\r\ncipher. The key and block are added to the “LSDC.AesCipher128” struct, shown in Figure 13.\r\nSummary of the function used to generate the AES key to decrypt the TXT request answer.\r\nFigure 12 - Summary of the function used to generate the AES key to decrypt the TXT request answer.\r\nData structure used to hold decryption information.\r\nFigure 13 - Data structure used to hold decryption information.\r\nConclusion\r\nRocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on\r\nPastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could\r\nprevent ongoing malicious activity. It is expected that the group will continue to exploit more vulnerabilities to\r\nmine additional cryptocurrencies in the near future. Enterprises with internet-facing services should ensure all the\r\nsoftware is always up-to-date and that no weak passwords are used. While illicit cryptocurrency mining can be\r\nseen as a minor issue, it could lead to increased resource drain and earlier hardware failure. In addition, it is\r\npossible that Rocke, or other cryptomining threat actors could change the payload from a cryptominer to\r\nsomething more dangerous, such as ransomware or a Remote Access Trojan (RAT). Therefore, it is paramount to\r\ntake steps to mitigate the possibility of Rocke-styled campaigns.\r\nEnterprise Threatstream users can access more information here, which includes password lists used by the actor\r\nfor brute force attacks.\r\nIOCs\r\nsystemten[.]org\r\nlsd.systemten[.]org\r\nupdate.systemten[.]org\r\n1x32.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\n2x32.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\n3x32.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\n1x64.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\n2x64.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\n3x64.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\nshell.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 6 of 10\n\nupdate.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\ncron.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com\r\nMITRE ATT\u0026CK™ Techniques\r\nTactic ID Name Description\r\nInitial Access T1190\r\nExploit Public-Facing ApplicationRocke is using exploit known vulnerabilities in public\r\nfacing services.\r\n  T1078 Valid Accounts\r\nThe LSD malware uses stored ssh keys on the infected\r\nhost to gain access to other machines.\r\nExecution T1168\r\nLocal Job\r\nScheduling\r\nThe exploits are used to install cron jobs that will\r\ndownload the LSD malware.\r\n  T1064 Scripting\r\nThe cron job will download a shell script that in turn\r\ndownloads the LSD malware.\r\nPersistence T1156\r\n.bash_profile and\r\n.bashrc\r\nEntries to “.bashrc” is added to for persistence.\r\n  T1168\r\nLocal Job\r\nScheduling\r\nCron job entries are created to ensure a new version of\r\nthe LSD malware is installed in the case it is removed.\r\n  T1501 Systemd Service\r\nThe LSD malware creates a systemd service to ensure it\r\nis restarted when the machine reboots.\r\nDefense\r\nEvasion\r\nT1036 Masquerading\r\nThe LSD malware use filenames similar to common\r\nLinux services. For example, sshd and kerberods.\r\n  T1099 Timestomp\r\nFiles created have their timestamp altered to appear\r\nolder.\r\nCredential\r\nAccess\r\nT1110 Brute Force\r\nThe LSD malware tries to compromise Redis and ssh\r\nservers via credential brute forcing.\r\nDiscovery T1046\r\nNetwork Service\r\nScanning\r\nThe LSD malware scans for other machines that are\r\nrunning vulnerable services of ActiveMQ, Jenkins, ssh,\r\nand Redis.\r\n  T1057 Process Discovery\r\nThe LSD malware enumerates all the running processes\r\nto find any other potential miners installed on the\r\nmachine. If others are found, they are killed.\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 7 of 10\n\nT1018\r\nRemote System\r\nDiscovery\r\nThe setup script used by the threat actor uses the\r\nknown_hosts file to find other machines it can access\r\nover ssh.\r\nLateral\r\nMovement\r\nT1021 Remote Services\r\nThe setup script uses known ssh hosts and stored ssh\r\nkeys to infect other machines.\r\nCommand and\r\nControl\r\nT1043\r\nCommonly Used\r\nPort\r\nThe LSD uses HTTP/HTTPs and DNS TXT records for\r\nC2.\r\n  T1132 Data Encoding\r\nThe data retrieved from the DNS TXT records are\r\nencrypted and base64 encoded.\r\n  T1079\r\nMultilayer\r\nEncryption\r\nThe LSD malware uses DoH to retrieve encrypted\r\ninstructions.\r\n  T1071\r\nStandard Application\r\nLayer Protocol\r\nThe LSD uses HTTP/HTTPs and DNS TXT records for\r\nC2.\r\nImpact T1496 Resource Hijacking The LSD malware installs a Monero miner.\r\nEndnotes\r\n1. David Liedenberg, “Rocke: The Champion of Monero Miners,” Talos Blog, accessed March 14, 2019,\r\npublished August 30, 2018.\r\n2. Nathaniel Quist, “Rocke’in the NetFlow”, Palo Alto Networks Unit 42 Blog, accessed October 8, 2019,\r\npublished August 1, 2019.\r\n3. Claud Xiao, Cong Zheng and Xingyu Jin, “Xbash Combines Botnet, Ransomware, Coinmining in Worm\r\nthat Targets Linux and Windows”, Palo Alto Networks Unit 42 Blog, accessed October 8, 2019, published\r\nSeptember 17, 2018.\r\n4. Xingyu Jin and Claud Xiao, “Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud\r\nSecurity Products”, Palo Alto Networks Unit 42 Blog, accessed October 8, 2019, published January 17,\r\n2019.\r\n5. Anomali Labs, “Rocke Evolves Its Arsenal With a New Malware Family Written in Golang”, Anomali\r\nBlog, accessed October 8, 2019, published March 15, 2019.\r\n6. “How come my Confluence installation was hacked by Kerberods malware?”, Atlassian Community,\r\naccessed October 8, 2019, published Apr 10, 2019.\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 8 of 10\n\nApril 3, 2026\r\nAnomali Cyber Watch\r\nRead More\r\nApril 3, 2026\r\nPublic Sector\r\nAnomali Cyber Watch\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 9 of 10\n\nRead More\r\nApril 2, 2026\r\nAnomali Cyber Watch\r\nRead More\r\nExplore All\r\nSource: https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nhttps://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z" ], "report_names": [ "illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect#When:14:00:00Z" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434387, "ts_updated_at": 1775791704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/792c873b87d42b65631625e67338e7a1f53e94a2.pdf", "text": "https://archive.orkl.eu/792c873b87d42b65631625e67338e7a1f53e94a2.txt", "img": "https://archive.orkl.eu/792c873b87d42b65631625e67338e7a1f53e94a2.jpg" } }