Telnet Busybox Hex Payload Dropper With Execution And Cleanup

Structured BusyBox-driven payload deployment over Telnet. The operator reconstructs a binary or script via hex-encoded echo writes (including no-newline variants), stores it in hidden paths across common writable directories (/tmp, /dev/shm, /var, /mnt, etc.), optionally retrieves additional components via wget, executes the payload through shell/system/start invocation, and performs cleanup via recursive deletion. Includes device shell escape attempts and potential privilege escalation via su. This represents automated botnet loader activity rather than interactive administration.

Observed IPs

11,510

Avg Confidence

99%

Severity

high

Top IPs by event countTELNET

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
103.93.93.211	100%	142,130	10,966	🇮🇩 ID	AS141140	2026-04-04
103.93.93.182	100%	92,312	6,841	🇮🇩 ID	AS141140	2026-04-04
102.212.40.100	100%	57,520	3,466	🇳🇬 NG	AS329244	2026-03-18
103.13.138.22	100%	31,726	3,100	🇮🇩 ID	AS150215	2026-04-13
223.123.38.36	100%	27,148	1,979	🇵🇰 PK	AS138423	2026-04-20
223.123.38.33	100%	25,362	1,783	🇵🇰 PK	AS138423	2026-04-20
223.123.43.1	100%	24,472	1,609	🇵🇰 PK	AS138423	2026-04-20
223.123.43.69	100%	24,309	1,804	🇵🇰 PK	AS138423	2026-04-21
223.123.43.5	100%	23,915	2,061	🇵🇰 PK	AS138423	2026-04-18
223.123.43.7	100%	23,780	1,683	🇵🇰 PK	AS138423	2026-04-21
223.123.38.34	100%	22,867	1,948	🇵🇰 PK	AS138423	2026-04-20
223.123.38.35	100%	22,352	1,778	🇵🇰 PK	AS138423	2026-04-17
223.123.38.32	100%	22,076	2,054	🇵🇰 PK	AS138423	2026-04-20
223.123.43.0	100%	21,782	1,764	🇵🇰 PK	AS138423	2026-04-21
223.123.43.71	100%	20,271	1,571	🇵🇰 PK	AS138423	2026-04-19
223.123.43.6	100%	19,286	1,673	🇵🇰 PK	AS138423	2026-04-21
223.123.43.3	100%	18,756	1,902	🇵🇰 PK	AS138423	2026-04-20
223.123.43.70	100%	17,306	1,585	🇵🇰 PK	AS138423	2026-04-19
223.123.38.37	100%	16,442	2,141	🇵🇰 PK	AS138423	2026-04-19
223.123.43.68	100%	16,167	1,727	🇵🇰 PK	AS138423	2026-04-20

Loading threats