Confidence Level

96%

Very High?

Geolocation

🇦🇺

AustraliaCanberra

ISPMicrosoft Corporation

ASNAS8075

Activity Timeline

First seenFeb 20, 2026, 04:52 AM

Last seen1h ago

30Sessions

30Events

Protocol Breakdown

TELNET

30 / 30

20.70.11.78 has a very high threat confidence level of 96%, originating from Canberra, Australia, on the Microsoft Corporation network (8075). It has been observed across 30 sessions targeting TELNET, with detected attack patterns including telnet shell escalation with busybox execution attempt, First observed on February 20, 2026, most recently active March 10, 2026.

Behaviors

Classified behavioral patterns observed

Telnet Shell Escalation With Busybox Execution Attempt

high29x

Telnet session exhibiting privilege escalation and shell breakout commands (enable, system, shell, sh) followed by execution of /bin/busybox with a non-standard or arbitrary applet name. The sequence indicates an attempt to escape restricted CLI environments and execute a staged or randomly named payload via BusyBox. The presence of an unknown BusyBox applet strongly suggests automated bot deployment logic rather than legitimate administrative activity.

Primitives

Individual actions observed

Telnet Command Sh30 Telnet Command Shell30 Telnet Command System30 Telnet Busybox Unknown Applet Invocation30 Telnet Command Enable29

Related Threats

Explore related threat intelligence

🇦🇺More threats fromAustralia ASMore threats fromMicrosoft Corporation TELNETMore threats targetingTELNET { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
52.180.146.167	70%	114
20.55.35.217	70%	161
40.80.203.87	62%	146
20.65.194.6	73%	114
40.124.175.75	88%	177

IP Address	Confidence	Events
170.64.208.133	99%	67
170.64.177.126	88%	138
16.176.125.156	59%	796
170.64.152.122	98%	31
134.199.163.110	97%	26