Skip to main content
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

Rocke

Also known asRocke

Rocke is a financially motivated threat actor, also referenced in the content as the Iron Cybercrime Group. The group has been associated with opportunistic attacks on Linux servers and with use of Linux.NOODLERAT for financial gain. Reported tradecraft in the provided content includes downloading payloads with wget and curl from Pastebin over HTTPS, extracting tar.gz archives from C2 infrastructure, and deploying a file named "libprocesshider" to hide files on infected systems. Rocke has used systemd service persistence on Linux, including adding a service so Golang-based payloads execute on boot. The actor has used uname -m to collect kernel and system information, detected running process PIDs on infected machines, deleted files on compromised hosts, changed timestamps of files, and used scripts to detect and uninstall antivirus software. The content also attributes UPX packing and UPX header modification to Rocke, including creation of UPX-packed files in the Windows Start Menu folder and modification of UPX headers to break unpackers. Known alias in the provided content: rocke; also referenced as Iron Cybercrime Group.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

47 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics71 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595×2
Active Scanning
TA0042
Resource Development
1 technique
T1608
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
3 techniques
T1133×3
External Remote Services
T1190×15
Exploit Public-Facing Application
T1195
Supply Chain Compromise
TA0002
Execution
3 techniques
T1053
Scheduled Task/Job
T1053.003
Cron
T1059
Command and Scripting Interpreter
T1059.004×2
Unix Shell
T1574
Hijack Execution Flow
T1574.006
Dynamic Linker Hijacking
TA0003
Persistence
6 techniques
T1053
Scheduled Task/Job
T1053.003
Cron
T1112
Modify Registry
T1133×3
External Remote Services
T1505
Server Software Component
T1505.003×3
Web Shell
T1505.004
IIS Components
T1543
Create or Modify System Process
T1543.002
Systemd Service
T1547
Boot or Logon Autostart Execution
T1547.001×3
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
5 techniques
T1053
Scheduled Task/Job
T1053.003
Cron
T1055
Process Injection
T1055.002
Portable Executable Injection
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1543
Create or Modify System Process
T1543.002
Systemd Service
T1547
Boot or Logon Autostart Execution
T1547.001×3
Registry Run Keys / Startup Folder
TA0005
Stealth
7 techniques
T1027×2
Obfuscated Files or Information
T1027.002×2
Software Packing
T1036
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1055
Process Injection
T1055.002
Portable Executable Injection
T1070
Indicator Removal
T1070.004×3
File Deletion
T1070.006×3
Timestomp
T1140×3
Deobfuscate/Decode Files or Information
T1564
Hide Artifacts
T1564.001×3
Hidden Files and Directories
T1574
Hijack Execution Flow
T1574.006
Dynamic Linker Hijacking
TA0112
Defense Impairment
2 techniques
T1112
Modify Registry
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0006
Credential Access
2 techniques
T1552
Unsecured Credentials
T1552.004
Private Keys
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
5 techniques
T1016
System Network Configuration Discovery
T1018×2
Remote System Discovery
T1046×2
Network Service Discovery
T1057
Process Discovery
T1082×2
System Information Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.004
SSH
TA0009
Collection
2 techniques
T1005
Data from Local System
T1560
Archive Collected Data
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001×4
Web Protocols
T1090
Proxy
T1090.003
Multi-hop Proxy
T1102
Web Service
T1105×6
Ingress Tool Transfer
TA0040
Impact
1 technique
T1496
Resource Hijacking
T1496.001
Compute Hijacking
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
NoodleRATDuring our analysis, we discovered that there are different types of Win.NOODLERAT that implement various command IDs... Linux.NOODLERAT is an ELF version of Noodle RAT, but with a different design.1May 26, 2026
TermsHost.exeRocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

10 CVEs this actor has used in observed campaigns. 10 of them exploited in the wild.

CVE-2017-10271Oracle WebLogic WLS-WSAT XML Deserialization RCEIn the wildEvidence2

Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.

CVE-2017-3066Adobe ColdFusion Apache BlazeDS Java Deserialization RCEIn the wildEvidence2

Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.

CVE-2021-31207Post-auth Arbitrary File Write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell Autodiscover SSRF in Microsoft Exchange ServerIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

5 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

5 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

5 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Jun 14, 2026
Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

Read more
splunk researchNews
Apr 15, 2026
Detection: MacOS Hidden Files and Directories | Splunk Security Content

Referenced as a threat actor associated with the Hidden Files and Directories defense evasion technique (T1564.001).

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Metasploit Confluence Plugin Execution | Splunk Security Content

Listed as a threat actor associated with the detection for Metasploit-based Atlassian Confluence exploitation activity.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Netspy Network Scanner Execution | Splunk Security Content

Referenced in the detection annotations as a threat actor associated with reconnaissance/exploitation behavior relevant to Netspy-style network scanning.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping47

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs10

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables5

Domains, IPs, and hashes tied to this actor, refreshed continuously.