Telnet Busybox Rm Absolute Path

Matches execution of the BusyBox binary invoking rm against a single absolute filesystem path, such as: /bin/busybox rm /dev/.none This pattern indicates deletion via BusyBox rather than the system’s native rm, which is commonly seen in embedded malware, botnets, IoT campaigns, and minimal shell environments where BusyBox is used as a multi-call binary. It captures cleanup, artifact removal, or staging-file deletion performed explicitly through /bin/busybox.

Observed IPs

659

Avg Confidence

88%

Protocol

TELNET

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
77.45.86.115	96%	37,119	1,445	🇵🇱 PL	AS35191	2026-03-03
212.233.197.195	95%	19,525	477	🇧🇬 BG	AS29582	2026-02-12
123.248.63.133	94%	14,967	629	🇰🇷 KR	AS9845	2026-02-22
123.138.237.68	97%	14,533	241	🇨🇳 CN	AS4837	2026-02-05
123.138.237.75	98%	12,869	214	🇨🇳 CN	AS4837	2026-02-12
112.46.214.107	92%	11,940	372	🇨🇳 CN	AS9808	2026-02-27
1.177.63.13	89%	11,494	192	🇰🇷 KR	AS17577	2026-02-22
112.46.214.80	90%	9,461	227	🇨🇳 CN	AS9808	2026-02-27
112.46.213.137	90%	9,458	224	🇨🇳 CN	AS9808	2026-03-02
121.130.31.124	91%	9,192	157	🇰🇷 KR	AS4766	2026-02-08
112.46.213.166	96%	8,962	150	🇨🇳 CN	AS9808	2026-02-11
112.46.214.117	90%	8,892	200	🇨🇳 CN	AS9808	2026-03-02
112.46.212.137	97%	8,866	200	🇨🇳 CN	AS9808	2026-03-02
112.46.212.193	91%	8,816	295	🇨🇳 CN	AS9808	2026-02-27
112.46.213.193	98%	8,793	284	🇨🇳 CN	AS9808	2026-02-27
112.46.212.166	96%	8,298	139	🇨🇳 CN	AS9808	2026-02-11
112.46.214.16	90%	8,054	183	🇨🇳 CN	AS9808	2026-02-22
112.46.214.20	98%	7,932	235	🇨🇳 CN	AS9808	2026-02-22
112.46.214.77	98%	7,832	218	🇨🇳 CN	AS9808	2026-02-27
1.177.63.24	90%	7,533	333	🇰🇷 KR	AS17577	2026-03-02

Loading threats