159.195.70.194 — netcup GmbH, DE — High (73%)

Check an IP Address, Domain Name, Subnet, or ASN

159.195.70.194 was found in our database!

Confidence Level

73%

High?

Geolocation

🇩🇪

GermanyNuremberg

ISPnetcup GmbH

ASNAS197540

Activity Timeline

First seenFeb 14, 2026, 06:10 AM

Last seen16d ago

7Sessions

15Events

Protocol Breakdown

TELNET

7 / 15

159.195.70.194 has a high threat confidence level of 73%, originating from Nuremberg, Germany, on the netcup GmbH network (197540). It has been observed across 7 sessions targeting TELNET, with detected attack patterns including telnet shell escalation with busybox execution attempt, First observed on February 14, 2026, most recently active February 14, 2026.

Behaviors

Classified behavioral patterns observed

Telnet Shell Escalation With Busybox Execution Attempt

high1x

Telnet session exhibiting privilege escalation and shell breakout commands (enable, system, shell, sh) followed by execution of /bin/busybox with a non-standard or arbitrary applet name. The sequence indicates an attempt to escape restricted CLI environments and execute a staged or randomly named payload via BusyBox. The presence of an unknown BusyBox applet strongly suggests automated bot deployment logic rather than legitimate administrative activity.

Primitives

Individual actions observed

Telnet Command Sh1 Telnet Command Shell1 Telnet Command Enable1 Telnet Command System1 Telnet System Command Invocation1 Telnet Busybox Unknown Applet Invocation1

Related Threats

Explore related threat intelligence

🇩🇪More threats fromGermany ASMore threats fromnetcup GmbH TELNETMore threats targetingTELNET { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
152.53.22.30	82%	17,291
152.53.191.128	84%	43,157
37.120.161.127	40%	3
159.195.51.59	23%	1
152.53.184.147	100%	156,833

IP Address	Confidence	Events
45.84.196.162	100%	2,465
85.215.109.54	97%	46
87.106.147.36	100%	29,289
104.248.242.243	99%	245
146.0.42.48	88%	55,943