Telnet Busybox Hex Payload Dropper With Execution And Cleanup

Structured BusyBox-driven payload deployment over Telnet. The operator reconstructs a binary or script via hex-encoded echo writes (including no-newline variants), stores it in hidden paths across common writable directories (/tmp, /dev/shm, /var, /mnt, etc.), optionally retrieves additional components via wget, executes the payload through shell/system/start invocation, and performs cleanup via recursive deletion. Includes device shell escape attempts and potential privilege escalation via su. This represents automated botnet loader activity rather than interactive administration.

Observed IPs

3,823

Avg Confidence

98%

Severity

high

Top IPs by event countTELNET

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
103.93.93.211	100%	136,804	5,648	🇮🇩 ID	AS141140	2026-03-02
103.93.93.182	100%	89,410	3,939	🇮🇩 ID	AS141140	2026-03-03
102.212.40.100	100%	57,512	3,458	🇳🇬 NG	AS329244	2026-03-02
103.13.138.22	100%	29,851	1,225	🇮🇩 ID	AS150215	2026-03-03
223.123.38.36	100%	26,234	1,065	🇵🇰 PK	AS138423	2026-03-02
223.123.43.1	100%	23,822	959	🇵🇰 PK	AS138423	2026-03-02
223.123.38.33	100%	23,777	904	🇵🇰 PK	AS138423	2026-03-02
223.123.43.69	100%	23,516	1,011	🇵🇰 PK	AS138423	2026-03-02
223.123.43.7	100%	22,992	895	🇵🇰 PK	AS138423	2026-03-02
223.123.43.5	100%	22,905	1,051	🇵🇰 PK	AS138423	2026-03-02
223.123.38.34	100%	21,856	937	🇵🇰 PK	AS138423	2026-02-28
223.123.38.35	100%	21,545	971	🇵🇰 PK	AS138423	2026-03-02
223.123.38.32	100%	21,111	1,133	🇵🇰 PK	AS138423	2026-03-02
223.123.43.0	100%	21,000	982	🇵🇰 PK	AS138423	2026-03-02
223.123.43.71	100%	19,630	930	🇵🇰 PK	AS138423	2026-03-02
223.123.43.6	100%	18,385	778	🇵🇰 PK	AS138423	2026-03-02
223.123.43.3	100%	17,857	1,003	🇵🇰 PK	AS138423	2026-03-02
223.123.43.70	100%	16,525	804	🇵🇰 PK	AS138423	2026-03-02
223.123.38.37	100%	15,460	1,159	🇵🇰 PK	AS138423	2026-03-03
223.123.43.68	100%	15,202	762	🇵🇰 PK	AS138423	2026-03-02

Loading threats