update: we have captured the key exploit at around 11am 2/21 (GMT+8), it appears that some vendor have weak security implementation of DVRIP protocol, and attacker has spot the weakness and sets up telnet backdoor and inject Fbot botnet on the related victims.

https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/