Automated Telnet-based compromise sequence involving CLI escalation, transition into shell access, multi-directory writable path probing (/var, /tmp, /dev, /mnt, /dev/shm, /usr), reconstruction of a binary payload using BusyBox hex-encoded echo commands (with and without newline suppression), retrieval of remote content via wget, execution attempt through a randomly named BusyBox applet, and forced recursive cleanup (rm -rf). The inclusion of an unknown BusyBox applet invocation strongly indicates execution of a staged or randomly named payload rather than standard utility usage. The overall sequence is characteristic of scripted IoT/Linux bot propagation frameworks performing automated deployment.

SMB session creating and binding to the svcctl pipe, opening the Service Control Manager via OpenSCManagerW, creating a service with an mshta.exe VBScript payload, starting it via StartServiceW, then deleting it via DeleteService.

Multi-step post_auth behavior that incrementally establishes execution capability, probes shell and toolchain availability, tests privilege boundaries, enumerates writable filesystem locations, stages remote payloads, and prepares the environment for follow-on execution or takeover. This behavior reflects deliberate operator-driven or advanced automated workflows focused on assessing control depth and preparing a reliable execution path rather than immediate exploitation.

Structured BusyBox-driven payload deployment over Telnet. The operator reconstructs a binary or script via hex-encoded echo writes (including no-newline variants), stores it in hidden paths across common writable directories (/tmp, /dev/shm, /var, /mnt, etc.), optionally retrieves additional components via wget, executes the payload through shell/system/start invocation, and performs cleanup via recursive deletion. Includes device shell escape attempts and potential privilege escalation via su. This represents automated botnet loader activity rather than interactive administration.

Composite behavior indicating remote lateral movement over SMB followed by service-based execution of a staged payload delivered through mshta invoking msiexec from remote infrastructure. The sequence combines IPC$ share access, SAMR and SVCCTL RPC binding, service control pipe interaction, and remote command execution consistent with administrative service creation or modification to execute a downloaded installer. This pattern is strongly associated with hands-on-keyboard intrusion activity and automated lateral propagation frameworks leveraging Windows service execution for payload deployment.

Observed exploitation chain targeting /GponForm/diag_Form diagnostic endpoint, abusing diag_action=ping for command injection to download Mozi.m malware via wget, accompanied by images/ query artifact. Indicative of automated GPON router exploitation for Mozi botnet deployment.

HTTP GET request to /boaform/admin/formLogin with username and psd parameters, indicating an authentication attempt against a Boa-based router or embedded device administrative login endpoint.