Loading threats
Matches execution of the BusyBox binary invoking rm against a single absolute filesystem path, such as: /bin/busybox rm /dev/.none This pattern indicates deletion via BusyBox rather than the system’s native rm, which is commonly seen in embedded malware, botnets, IoT campaigns, and minimal shell environments where BusyBox is used as a multi-call binary. It captures cleanup, artifact removal, or staging-file deletion performed explicitly through /bin/busybox.
| IP Address | Risk | Events | Sessions | Country | ASN | Last Seen |
|---|---|---|---|---|---|---|
| 77.45.86.115 | 96% | 37,226 | 1,552 | 🇵🇱 PL | AS35191 | 2026-03-03 |
| 123.248.63.133 | 94% | 15,159 | 821 | 🇰🇷 KR | AS9845 | 2026-04-14 |
| 112.46.214.107 | 93% | 12,164 | 596 | 🇨🇳 CN | AS9808 | 2026-04-16 |
| 1.177.63.13 | 89% | 11,494 | 192 | 🇰🇷 KR | AS17577 | 2026-02-22 |
| 112.46.214.80 | 90% | 9,618 | 384 | 🇨🇳 CN | AS9808 | 2026-04-16 |
| 112.46.213.137 | 89% | 9,479 | 245 | 🇨🇳 CN | AS9808 |
| 2026-04-10 |
| 112.46.213.166 | 96% | 8,988 | 176 | 🇨🇳 CN | AS9808 | 2026-03-03 |
| 112.46.214.117 | 91% | 8,971 | 279 | 🇨🇳 CN | AS9808 | 2026-04-13 |
| 112.46.212.193 | 91% | 8,924 | 403 | 🇨🇳 CN | AS9808 | 2026-04-16 |
| 112.46.213.193 | 98% | 8,912 | 403 | 🇨🇳 CN | AS9808 | 2026-04-16 |
| 112.46.212.137 | 90% | 8,889 | 223 | 🇨🇳 CN | AS9808 | 2026-04-10 |
| 112.46.212.166 | 96% | 8,325 | 166 | 🇨🇳 CN | AS9808 | 2026-03-03 |
| 112.46.214.16 | 90% | 8,209 | 312 | 🇨🇳 CN | AS9808 | 2026-04-11 |
| 112.46.214.20 | 91% | 8,051 | 354 | 🇨🇳 CN | AS9808 | 2026-04-07 |
| 112.46.214.77 | 88% | 7,838 | 224 | 🇨🇳 CN | AS9808 | 2026-03-31 |
| 176.65.148.193 | 100% | 7,700 | 2,055 | 🇳🇱 NL | AS51396 | 2026-03-26 |
| 1.177.63.24 | 90% | 7,681 | 481 | 🇰🇷 KR | AS17577 | 2026-04-13 |
| 112.46.214.53 | 91% | 7,480 | 382 | 🇨🇳 CN | AS9808 | 2026-04-14 |
| 1.177.63.17 | 90% | 7,413 | 276 | 🇰🇷 KR | AS17577 | 2026-03-13 |
| 112.46.214.74 | 98% | 7,372 | 311 | 🇨🇳 CN | AS9808 | 2026-04-09 |