{
	"id": "df3d484e-3634-4093-a29e-d2c5f1b6585f",
	"created_at": "2026-04-06T00:21:19.245178Z",
	"updated_at": "2026-04-10T03:32:45.863662Z",
	"deleted_at": null,
	"sha1_hash": "cc1c3194c1b637a69534b842e8f995bd65219efd",
	"title": "Ocean - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51438,
	"plain_text": "Ocean - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:12:49 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Pro-Ocean\n Tool: Pro-Ocean\nNames Pro-Ocean\nCategory Malware\nType Miner\nDescription\n(Palo Alto) Pro-Ocean uses known vulnerabilities to target cloud applications. In our analysis,\nwe found Pro-Ocean targeting Apache ActiveMQ (CVE-2016-3088), Oracle WebLogic (CVE-2017-10271) and Redis (unsecure instances). In the case that the malware runs in Tencent\nCloud or Alibaba Cloud, it will use the exact code of the previous malware to uninstall\nmonitoring agents to avoid detection. Additionally, it attempts to remove other malware and\nminers including Luoxk, BillGates, XMRig and Hashfish before installation. Once installed,\nthe malware kills any process that uses the CPU heavily, so that it’s able to use 100% of the\nCPU and mine Monero efficiently.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool Pro-Ocean\nChanged Name Country Observed\nOther groups\n Rocke, Iron Group 2018-Apr 2021\n1 group listed (0 APT, 1 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=794ffbdf-64e6-4f00-911d-a359a08c02a5\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=794ffbdf-64e6-4f00-911d-a359a08c02a5\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=794ffbdf-64e6-4f00-911d-a359a08c02a5\r\nPage 2 of 2\n\nOther groups Rocke, Iron Group 2018-Apr 2021 \n1 group listed (0 APT, 1 other, 0 unknown) \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=794ffbdf-64e6-4f00-911d-a359a08c02a5"
	],
	"report_names": [
		"listgroups.cgi?u=794ffbdf-64e6-4f00-911d-a359a08c02a5"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e4389aca-6209-443d-9fdc-7ad01c36e3b4",
			"created_at": "2023-01-06T13:46:39.07782Z",
			"updated_at": "2026-04-10T02:00:03.205516Z",
			"deleted_at": null,
			"main_name": "luoxk",
			"aliases": [],
			"source_name": "MISPGALAXY:luoxk",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5b9d2809-47b7-46a8-ab2d-9687537f1bc7",
			"created_at": "2023-01-06T13:46:38.804869Z",
			"updated_at": "2026-04-10T02:00:03.107112Z",
			"deleted_at": null,
			"main_name": "Iron Group",
			"aliases": [
				"Iron Cyber Group"
			],
			"source_name": "MISPGALAXY:Iron Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434879,
	"ts_updated_at": 1775791965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc1c3194c1b637a69534b842e8f995bd65219efd.pdf",
		"text": "https://archive.orkl.eu/cc1c3194c1b637a69534b842e8f995bd65219efd.txt",
		"img": "https://archive.orkl.eu/cc1c3194c1b637a69534b842e8f995bd65219efd.jpg"
	}
}