182.127.58.16 — CHINA UNICOM China169 Backbone, CN — Very High (100%)

Check an IP Address, Domain Name, Subnet, or ASN

182.127.58.16 was found in our database!

Confidence Level

100%

Very High?

Geolocation

🇨🇳

China

ISPCHINA UNICOM China169 Backbone

ASNAS4837

Activity Timeline

First seenFeb 28, 2026, 07:38 AM

Last seen2d ago

24Sessions

24Events

Protocol Breakdown

TELNET

23 / 23

HTTP

1 / 1

182.127.58.16 has a very high threat confidence level of 100%, originating from China, on the CHINA UNICOM China169 Backbone network (4837). It has been observed across 24 sessions targeting TELNET, HTTP, with detected attack patterns including telnet busybox hex stager with unknown applet execution, telnet busybox hex payload dropper with execution and cleanup, http gpon mozi botnet rce chain, First observed on February 28, 2026, most recently active February 28, 2026.

Behaviors

Classified behavioral patterns observed

Telnet Busybox Hex Stager With Unknown Applet Execution

very_high23x

Automated Telnet-based compromise sequence involving CLI escalation, transition into shell access, multi-directory writable path probing (/var, /tmp, /dev, /mnt, /dev/shm, /usr), reconstruction of a binary payload using BusyBox hex-encoded echo commands (with and without newline suppression), retrieval of remote content via wget, execution attempt through a randomly named BusyBox applet, and forced recursive cleanup (rm -rf). The inclusion of an unknown BusyBox applet invocation strongly indicates execution of a staged or randomly named payload rather than standard utility usage. The overall sequence is characteristic of scripted IoT/Linux bot propagation frameworks performing automated deployment.

Telnet Busybox Hex Payload Dropper With Execution And Cleanup

high23x

Structured BusyBox-driven payload deployment over Telnet. The operator reconstructs a binary or script via hex-encoded echo writes (including no-newline variants), stores it in hidden paths across common writable directories (/tmp, /dev/shm, /var, /mnt, etc.), optionally retrieves additional components via wget, executes the payload through shell/system/start invocation, and performs cleanup via recursive deletion. Includes device shell escape attempts and potential privilege escalation via su. This represents automated botnet loader activity rather than interactive administration.

Http Gpon Mozi Botnet Rce Chain

high1x

Observed exploitation chain targeting /GponForm/diag_Form diagnostic endpoint, abusing diag_action=ping for command injection to download Mozi.m malware via wget, accompanied by images/ query artifact. Indicative of automated GPON router exploitation for Mozi botnet deployment.

Primitives

Individual actions observed

Telnet Command Cd322 Telnet Shell Output Redirect File Create322 Telnet Command Sh23 Telnet Command Su23 Telnet Command Shell23 Telnet Command Start23 Telnet Command Enable23 Telnet Command System23 Telnet Command Linuxshell23 Telnet Busybox Wget Execution23 Telnet Command Config Terminal23 Telnet Command Rm Recursive Force23 Telnet Command Wget Http Download23 Telnet Busybox Echo Hex No Newline23 Telnet Busybox Echo Hex Payload Write23 Telnet Busybox Unknown Applet Invocation23 Http Query Images Fragment Access1 Http Path Gponform Diag Form Access1 Http Gpon Diag Ping Wget Mozi Dropper Injection1

Related Threats

Explore related threat intelligence

🇨🇳More threats fromChina ASMore threats fromCHINA UNICOM China169 Backbone TELNETMore threats targetingTELNET HTTPMore threats targetingHTTP { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
123.129.245.249	53%	346
123.138.237.99	95%	36
112.246.114.6	100%	47
58.245.210.70	50%	273
116.113.30.114	60%	436

IP Address	Confidence	Events
47.117.173.4	83%	22,138
115.28.130.207	86%	49,022
119.23.210.90	79%	13,122
47.115.223.248	86%	48,804
115.190.22.7	43%	36