Loading threats
Sets a Redis-backed cron entry named backup3 with a 4-minute execution interval that fetches a remote payload from http://*.*.*.*/plugins-dist/safehtml/lang/font/kworker using curl -fsSL and immediately pipes it to sh for execution, indicating automated remote code execution and persistence via cron.
| IP Address | Risk | Events | Sessions | Country | ASN | Last Seen |
|---|---|---|---|---|---|---|
| 74.50.81.220 | 99% | 1,231 | 160 | 🇺🇸 US | AS19318 | 2026-03-05 |
| 97.74.92.144 | 87% | 1,196 | 293 | 🇺🇸 US | AS26496 | 2026-03-05 |
| 157.230.101.158 | 95% | 1,091 | 333 | 🇩🇪 DE | AS14061 | 2026-03-05 |
| 64.20.44.213 | 93% | 1,086 | 74 | 🇺🇸 US | AS19318 | 2026-02-07 |
| 138.68.169.168 | 100% | 1,026 | 193 | 🇬🇧 GB | AS14061 | 2026-03-05 |
| 84.247.137.164 | 100% | 881 | 107 | 🇫🇷 FR | AS51167 | 2026-02-23 |
| 143.198.113.180 | 83% | 879 | 79 | 🇺🇸 US | AS14061 | 2026-02-21 |
| 155.212.222.212 | 90% | 824 | 61 | 🇷🇺 RU | AS198610 | 2026-02-04 |
| 20.197.32.228 | 99% | 713 | 171 | 🇮🇳 IN | AS8075 | 2026-03-04 |
| 31.210.36.192 | 92% | 645 | 53 | 🇹🇷 TR | AS212219 | 2026-02-24 |
| 20.52.250.139 | 98% | 575 | 50 | 🇩🇪 DE | AS8075 | 2026-02-25 |
| 79.72.83.185 | 94% | 564 | 38 | 🇬🇧 GB | AS31898 | 2026-02-09 |
| 4.255.23.245 | 99% | 539 | 58 | 🇺🇸 US | AS8075 | 2026-02-09 |
| 206.189.115.177 | 97% | 384 | 47 | 🇬🇧 GB | AS14061 | 2026-02-16 |
| 130.107.177.232 | 91% | 273 | 20 | 🇨🇦 CA | AS8075 | 2026-02-05 |
| 109.199.108.132 | 95% | 267 | 18 | 🇫🇷 FR | AS51167 | 2026-02-08 |
| 85.239.245.254 | 67% | 241 | 41 | 🇺🇸 US | AS40021 | 2026-03-03 |
| 20.235.199.173 | 90% | 238 | 35 | 🇮🇳 IN | AS8075 | 2026-03-01 |
| 38.47.67.31 | 87% | 238 | 32 | 🇮🇩 ID | AS59134 | 2026-02-08 |
| 85.202.192.89 | 89% | 187 | 25 | 🇰🇿 KZ | AS39318 | 2026-02-10 |