Telnet Busybox Hex Stager With Unknown Applet Execution

Automated Telnet-based compromise sequence involving CLI escalation, transition into shell access, multi-directory writable path probing (/var, /tmp, /dev, /mnt, /dev/shm, /usr), reconstruction of a binary payload using BusyBox hex-encoded echo commands (with and without newline suppression), retrieval of remote content via wget, execution attempt through a randomly named BusyBox applet, and forced recursive cleanup (rm -rf). The inclusion of an unknown BusyBox applet invocation strongly indicates execution of a staged or randomly named payload rather than standard utility usage. The overall sequence is characteristic of scripted IoT/Linux bot propagation frameworks performing automated deployment.

Observed IPs

9,751

Avg Confidence

99%

Severity

critical

Top IPs by event countTELNET

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
103.93.93.211	100%	142,130	10,966	🇮🇩 ID	AS141140	2026-04-04
103.93.93.182	100%	92,312	6,841	🇮🇩 ID	AS141140	2026-04-04
102.212.40.100	100%	57,520	3,466	🇳🇬 NG	AS329244	2026-03-18
103.13.138.22	100%	31,589	2,963	🇮🇩 ID	AS150215	2026-04-06
223.123.38.36	100%	27,060	1,891	🇵🇰 PK