Telnet Busybox Ftpget Remote File Download

Identifies Telnet session activity where the attacker uses BusyBox ftpget to download a remote file from an external FTP server to the local filesystem. This pattern is commonly observed in IoT botnet propagation chains where BusyBox is leveraged to retrieve staged payloads (e.g., shell scripts or binary droppers) from attacker-controlled infrastructure.

Observed IPs

7,344

Avg Confidence

67%

Protocol

TELNET

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
223.123.38.36	100%	27,132	1,963	🇵🇰 PK	AS138423	2026-04-15
103.184.56.249	97%	25,666	196	🇮🇩 ID	AS149667	2026-02-25
103.156.221.253	97%	25,219	195	🇮🇩 ID	AS149667	2026-02-26
223.123.43.5	100%	23,886	2,032	🇵🇰 PK	AS138423	2026-04-15
103.184.56.241	92%	22,538	178	🇮🇩 ID	AS149667	2026-04-02
223.123.43.0	100%	21,732	1,714	🇵🇰 PK	AS138423	2026-04-14
158.94.208.69	100%	19,800	19,673	🇩🇪 DE	AS202412	2026-02-22
195.178.110.241	100%	6,183	5,592	🇧🇬 BG	AS48090	2026-02-20
188.126.240.54	74%	4,465	100	🇸🇪 SE	AS3301	2026-03-23
210.222.129.233	100%	4,309	124	🇰🇷 KR	AS4766	2026-03-30
81.183.52.47	100%	2,313	2,282	🇭🇺 HU	AS5483	2026-02-27
103.156.221.242	85%	1,704	39	🇮🇩 ID	AS149667	2026-04-05
89.10.237.211	100%	1,684	151	🇳🇴 NO	AS15659	2026-04-13
103.184.56.220	87%	1,595	45	🇮🇩 ID	AS149667	2026-04-10
27.35.50.9	90%	1,376	29	🇰🇷 KR	AS9762	2026-04-08
121.180.94.240	94%	1,328	27	🇰🇷 KR	AS4766	2026-03-09
14.38.208.166	89%	1,279	34	🇰🇷 KR	AS4766	2026-03-30
59.103.119.99	100%	1,234	109	🇵🇰 PK	AS9541	2026-04-16
182.191.113.152	88%	1,151	26	🇵🇰 PK	AS17557	2026-03-09
121.155.148.205	86%	1,143	21	🇰🇷 KR	AS4766	2026-03-10