Rocke is an alleged Chinese-speaking threat group who has primarily used cryptojacking to steal victim system resources to mine cryptocurrency. The group’s name comes from the email address ‘’, which Rocke used to create the wallet that held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.