221.202.157.103 — CHINA UNICOM China169 Backbone, CN — Very High (99%)

Check an IP Address, Domain Name, Subnet, or ASN

221.202.157.103 was found in our database!

Confidence Level

99%

Very High?

Geolocation

🇨🇳

China

ISPCHINA UNICOM China169 Backbone

ASNAS4837

Activity Timeline

First seenFeb 3, 2026, 09:20 PM

Last seen8d ago

117Sessions

5,202Events

Protocol Breakdown

TELNET

117 / 5202

221.202.157.103 has a very high threat confidence level of 99%, originating from China, on the CHINA UNICOM China169 Backbone network (4837). It has been observed across 117 sessions targeting TELNET, with detected attack patterns including telnet busybox hex stager with unknown applet execution, telnet busybox hex payload dropper with execution and cleanup, First observed on February 3, 2026, most recently active February 23, 2026.

Behaviors

Classified behavioral patterns observed

Telnet Busybox Hex Stager With Unknown Applet Execution

very_high4x

Automated Telnet-based compromise sequence involving CLI escalation, transition into shell access, multi-directory writable path probing (/var, /tmp, /dev, /mnt, /dev/shm, /usr), reconstruction of a binary payload using BusyBox hex-encoded echo commands (with and without newline suppression), retrieval of remote content via wget, execution attempt through a randomly named BusyBox applet, and forced recursive cleanup (rm -rf). The inclusion of an unknown BusyBox applet invocation strongly indicates execution of a staged or randomly named payload rather than standard utility usage. The overall sequence is characteristic of scripted IoT/Linux bot propagation frameworks performing automated deployment.

Telnet Busybox Hex Payload Dropper With Execution And Cleanup

high4x

Structured BusyBox-driven payload deployment over Telnet. The operator reconstructs a binary or script via hex-encoded echo writes (including no-newline variants), stores it in hidden paths across common writable directories (/tmp, /dev/shm, /var, /mnt, etc.), optionally retrieves additional components via wget, executes the payload through shell/system/start invocation, and performs cleanup via recursive deletion. Includes device shell escape attempts and potential privilege escalation via su. This represents automated botnet loader activity rather than interactive administration.

Primitives

Individual actions observed

Telnet Command Cd84 Telnet Shell Output Redirect File Create84 Telnet Cd Absolute Path Change28 Telnet Command Sh6 Telnet Command Su6 Telnet Command Shell6 Telnet Command Start6 Telnet Command Enable6 Telnet Command System6 Telnet Command Linuxshell6 Telnet Command Config Terminal6 Telnet Command Rm Recursive Force6 Telnet Command Wget Http Download6 Telnet Busybox Echo Hex No Newline6 Telnet Busybox Echo Hex Payload Write6 Telnet Busybox Unknown Applet Invocation6 Telnet Busybox Wget Execution4 Telnet Hidden Dev File Output Redirection4 Telnet Hidden Mnt File Output Redirection4 Telnet Hidden Tmp File Output Redirection4

Related Threats

Explore related threat intelligence

🇨🇳More threats fromChina ASMore threats fromCHINA UNICOM China169 Backbone TELNETMore threats targetingTELNET { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
113.239.29.118	23%	1
123.138.237.110	70%	41
122.114.12.133	100%	530
113.200.216.246	52%	314
153.101.132.65	100%	447

IP Address	Confidence	Events
14.103.114.227	100%	991
106.12.148.252	65%	629
117.191.83.250	54%	370
14.103.79.220	100%	121
123.138.237.110	70%	43