Loading threats
Shell invocation (sh) executing a file located in a writable directory (e.g., /tmp, /dev/shm, /var/run, /mnt) that is commonly used for payload staging. The executed filename is typically hidden (dot-prefixed) and previously created within the session. This pattern strongly indicates execution of a staged script or dropper component.
| IP Address | Risk | Events | Sessions | Country | ASN | Last Seen |
|---|---|---|---|---|---|---|
| 223.123.38.36 | 100% | 27,132 | 1,963 | 🇵🇰 PK | AS138423 | 2026-04-15 |
| 103.184.56.249 | 97% | 25,666 | 196 | 🇮🇩 ID | AS149667 | 2026-02-25 |
| 103.156.221.253 | 97% | 25,219 | 195 | 🇮🇩 ID | AS149667 | 2026-02-26 |
| 223.123.43.5 | 100% | 23,886 | 2,032 | 🇵🇰 PK | AS138423 | 2026-04-15 |
| 103.184.56.241 | 92% | 22,538 | 178 | 🇮🇩 ID | AS149667 | 2026-04-02 |
| 223.123.43.0 | 100% | 21,732 | 1,714 | 🇵🇰 PK | AS138423 | 2026-04-14 |
| 188.126.240.54 | 74% | 4,465 | 100 | 🇸🇪 SE | AS3301 | 2026-03-23 |
| 210.222.129.233 | 100% | 4,309 | 124 | 🇰🇷 KR | AS4766 | 2026-03-30 |
| 121.129.112.124 | 88% | 1,837 | 70 | 🇰🇷 KR | AS4766 | 2026-04-13 |
| 103.156.221.242 | 85% | 1,704 | 39 | 🇮🇩 ID | AS149667 | 2026-04-05 |
| 218.154.181.71 | 87% | 1,696 | 63 | 🇰🇷 KR | AS4766 | 2026-04-14 |
| 89.10.237.211 | 100% | 1,684 | 151 | 🇳🇴 NO | AS15659 | 2026-04-13 |
| 103.184.56.220 | 87% | 1,595 | 45 | 🇮🇩 ID | AS149667 | 2026-04-10 |
| 210.104.42.40 | 87% | 1,483 | 65 | 🇰🇷 KR | AS4766 | 2026-04-13 |
| 220.88.178.58 | 97% | 1,483 | 66 | 🇰🇷 KR | AS4766 | 2026-04-14 |
| 183.106.83.148 | 96% | 1,452 | 32 | 🇰🇷 KR | AS4766 | 2026-02-26 |
| 218.146.163.192 | 93% | 1,405 | 68 | 🇰🇷 KR | AS4766 | 2026-04-14 |
| 121.137.131.78 | 92% | 1,391 | 42 | 🇰🇷 KR | AS4766 | 2026-04-12 |
| 180.255.108.230 | 85% | 1,383 | 23 | 🇸🇬 SG | AS9506 | 2026-02-19 |
| 27.35.50.9 | 90% | 1,376 | 29 | 🇰🇷 KR | AS9762 | 2026-04-08 |