The company's Unit 42 security team said the malware did not compromise the security products but rather uninstalled them after first gaining full administrative control over the hosts.
Palo Alto said the malware gained access to the Linux servers through vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion.
Unit 42 researchers Xingyu Jin and Claud Xiao said the cloud security products in question were from Tencent Cloud and Alibaba Cloud. They claimed that this was the first time a malware family had displayed the ability to target and remove cloud security products.
"Public cloud infrastructure is one of the main targets for this cyber crime group," Jin and Xiao said.
"Realising the existing cloud monitor and security products may detect the possible malware intrusion, malware authors continue to create new evasion technologies to avoid being detected by cloud security product.
"The variant of the malware used by the Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure."