Telnet Busybox Echo Hex Payload Write

Invocation of /bin/busybox echo -e with hexadecimal escape sequences (e.g., \x46\x46\x56...) to reconstruct raw bytes directly in the shell. This pattern is commonly used to rebuild binary payload fragments inline without transferring files in plain form. It differs from base64-encoded blobs and standard BusyBox command usage, indicating deliberate byte-level payload staging.

Observed IPs

6,149

Avg Confidence

94%

Protocol

TELNET

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
103.93.93.211	100%	136,804	5,648	🇮🇩 ID	AS141140	2026-03-02
103.93.93.182	100%	89,410	3,939	🇮🇩 ID	AS141140	2026-03-03
102.212.40.100	100%	57,512	3,458	🇳🇬 NG	AS329244	2026-03-02
103.13.138.22	100%	29,851	1,225	🇮🇩 ID	AS150215	2026-03-03
223.123.38.36	100%	26,234	1,065	🇵🇰 PK	AS138423	2026-03-02
223.123.43.1	100%	23,822	959	🇵🇰 PK	AS138423	2026-03-02
223.123.38.33	100%	23,777	904	🇵🇰 PK	AS138423	2026-03-02
223.123.43.69	100%	23,516	1,011	🇵🇰 PK	AS138423	2026-03-02
223.123.43.7	100%	22,992	895	🇵🇰 PK	AS138423	2026-03-02
223.123.43.5	100%	22,905	1,051	🇵🇰 PK	AS138423	2026-03-02
223.123.38.34	100%	21,856	937	🇵🇰 PK	AS138423	2026-02-28
223.123.38.35	100%	21,545	971	🇵🇰 PK	AS138423	2026-03-02
223.123.38.32	100%	21,111	1,133	🇵🇰 PK	AS138423	2026-03-02
223.123.43.0	100%	21,000	982	🇵🇰 PK	AS138423	2026-03-02
223.123.43.71	100%	19,630	930	🇵🇰 PK	AS138423	2026-03-02
223.123.43.6	100%	18,385	778	🇵🇰 PK	AS138423	2026-03-02
223.123.43.3	100%	17,857	1,003	🇵🇰 PK	AS138423	2026-03-02
223.123.43.70	100%	16,525	804	🇵🇰 PK	AS138423	2026-03-02
223.123.38.37	100%	15,460	1,159	🇵🇰 PK	AS138423	2026-03-03
223.123.43.68	100%	15,202	762	🇵🇰 PK	AS138423	2026-03-02

Loading threats