Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System

    Thursday, August 28, 2025 In: Threat Research Print

    Date: 08/28/2025

    Severity: High

    Summary

    Chinese state-sponsored APT (Advanced Persistent Threat) actors are conducting global cyber espionage operations targeting key infrastructure sectors such as telecommunications, government, transportation, and military networks. These actors compromise backbone, provider edge (PE), and customer edge (CE) routers to gain persistent access and pivot into other networks using trusted connections. Their activities, linked to groups like Salt Typhoon and GhostEmperor, have been observed in the U.S., U.K., Australia, Canada, New Zealand, and beyond.

    Indicators of Compromise (IOC) List

    IP Address

    1.222.84.29 

    103.168.91.231

    103.199.17.238

    103.253.40.199

    103.7.58.162

    104.194.129.137

    104.194.147.15

    104.194.150.26

    104.194.153.181

    104.194.154.150

    104.194.154.222

    107.189.15.206

    14.143.247.202

    142.171.227.16

    144.172.76.213

    144.172.79.4

    146.70.24.144

    146.70.79.68

    146.70.79.81

    164.82.20.53

    167.88.164.166

    167.88.172.70

    167.88.173.158

    167.88.173.252

    167.88.173.58

    167.88.175.175

    167.88.175.231

    172.86.101.123

    172.86.102.83

    172.86.106.15

    172.86.106.234

    172.86.106.39

    172.86.108.11

    172.86.124.235

    172.86.65.145

    172.86.70.73

    172.86.80.15

    190.131.194.90

    193.239.86.132

    193.239.86.146

    193.43.104.185

    193.56.255.210

    212.236.17.237

    23.227.196.22

    23.227.199.77

    23.227.202.253

    37.120.239.52

    38.71.99.145

    43.254.132.118

    45.125.64.195

    45.125.67.144

    45.125.67.226

    45.146.120.210

    45.146.120.213

    45.59.118.136

    45.59.120.171

    45.61.128.29

    45.61.132.125

    45.61.133.157

    45.61.133.31

    45.61.133.61

    45.61.133.77

    45.61.133.79

    45.61.134.134

    45.61.134.223

    45.61.149.200

    45.61.149.62

    45.61.151.12

    45.61.154.130

    45.61.159.25

    45.61.165.157

    5.181.132.95

    59.148.233.250

    61.19.148.66

    63.141.234.109

    63.245.1.13

    63.245.1.34 

    74.48.78.66  

    74.48.78.116  

    74.48.84.119  

    85.195.89.94

    89.117.1.147

    89.117.2.39

    89.41.26.142

    91.231.186.227

    91.245.253.99

    2001:41d0:700:65dc::f656:929f

    2a10:1fc0:7::f19c:39b3

    Hash

    eba9ae70d1b22de67b0eba160a6762d8

    33e692f435d6cf3c637ba54836c63373

    8b448f47e36909f3a921b4ff803cf3a61985d8a10f0fe594b405b92ed0fc21f1

    f2bbba1ea0f34b262f158ff31e00d39d89bbc471d04e8fca60a034cabe18e4f4

    da692ea0b7f24e31696f8b4fe8a130dbbe3c7c15cea6bde24cccc1fb0a73ae9e

    a1abc3d11c16ae83b9a7cf62ebe6d144dfc5e19b579a99bad062a9d31cf30bfe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    dstipaddress IN ("1.222.84.29","103.168.91.231","103.199.17.238","103.253.40.199","103.7.58.162","104.194.129.137","104.194.147.15","104.194.150.26","104.194.153.181","104.194.154.150","104.194.154.222","107.189.15.206","14.143.247.202","142.171.227.16","144.172.76.213","144.172.79.4","146.70.24.144","146.70.79.68","146.70.79.81","164.82.20.53","167.88.164.166","167.88.172.70","167.88.173.158","167.88.173.252","167.88.173.58","167.88.175.175","167.88.175.231","172.86.101.123","172.86.102.83","172.86.106.15","172.86.106.234","172.86.106.39","172.86.108.11","172.86.124.235","172.86.65.145","172.86.70.73","172.86.80.15","190.131.194.90","193.239.86.132","193.239.86.146","193.43.104.185","193.56.255.210","212.236.17.237","23.227.196.22","23.227.199.77","23.227.202.253","37.120.239.52","38.71.99.145","43.254.132.118","45.125.64.195","45.125.67.144","45.125.67.226","45.146.120.210","45.146.120.213","45.59.118.136","45.59.120.171","45.61.128.29","45.61.132.125","45.61.133.157","45.61.133.31","45.61.133.61","45.61.133.77","45.61.133.79","45.61.134.134","45.61.134.223","45.61.149.200","45.61.149.62","45.61.151.12","45.61.154.130","45.61.159.25","45.61.165.157","5.181.132.95","59.148.233.250","61.19.148.66","63.141.234.109","63.245.1.13","63.245.1.34 ","74.48.78.66","74.48.78.116","74.48.84.119","85.195.89.94","89.117.1.147","89.117.2.39","89.41.26.142","91.231.186.227","91.245.253.99","2001:41d0:700:65dc::f656:929f","2a10:1fc0:7::f19c:39b3") or srcipaddress IN ("1.222.84.29","103.168.91.231","103.199.17.238","103.253.40.199","103.7.58.162","104.194.129.137","104.194.147.15","104.194.150.26","104.194.153.181","104.194.154.150","104.194.154.222","107.189.15.206","14.143.247.202","142.171.227.16","144.172.76.213","144.172.79.4","146.70.24.144","146.70.79.68","146.70.79.81","164.82.20.53","167.88.164.166","167.88.172.70","167.88.173.158","167.88.173.252","167.88.173.58","167.88.175.175","167.88.175.231","172.86.101.123","172.86.102.83","172.86.106.15","172.86.106.234","172.86.106.39","172.86.108.11","172.86.124.235","172.86.65.145","172.86.70.73","172.86.80.15","190.131.194.90","193.239.86.132","193.239.86.146","193.43.104.185","193.56.255.210","212.236.17.237","23.227.196.22","23.227.199.77","23.227.202.253","37.120.239.52","38.71.99.145","43.254.132.118","45.125.64.195","45.125.67.144","45.125.67.226","45.146.120.210","45.146.120.213","45.59.118.136","45.59.120.171","45.61.128.29","45.61.132.125","45.61.133.157","45.61.133.31","45.61.133.61","45.61.133.77","45.61.133.79","45.61.134.134","45.61.134.223","45.61.149.200","45.61.149.62","45.61.151.12","45.61.154.130","45.61.159.25","45.61.165.157","5.181.132.95","59.148.233.250","61.19.148.66","63.141.234.109","63.245.1.13","63.245.1.34 ","74.48.78.66","74.48.78.116","74.48.84.119","85.195.89.94","89.117.1.147","89.117.2.39","89.41.26.142","91.231.186.227","91.245.253.99","2001:41d0:700:65dc::f656:929f","2a10:1fc0:7::f19c:39b3")

    Detection Query 2 :

    md5hash IN ("33e692f435d6cf3c637ba54836c63373","eba9ae70d1b22de67b0eba160a6762d8")

    Detection Query 3 :

    sha256hash IN ("f2bbba1ea0f34b262f158ff31e00d39d89bbc471d04e8fca60a034cabe18e4f4","8b448f47e36909f3a921b4ff803cf3a61985d8a10f0fe594b405b92ed0fc21f1","da692ea0b7f24e31696f8b4fe8a130dbbe3c7c15cea6bde24cccc1fb0a73ae9e","a1abc3d11c16ae83b9a7cf62ebe6d144dfc5e19b579a99bad062a9d31cf30bfe")

    Reference:    

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a


    Tags

    Threat ActorAPTCyber EspionageChinaCommunicationsGovernment Services and FacilitiesTransportation SystemsDefense Industrial BaseSalt TyphoonGhostEmperorUnited StatesUnited KingdomAustraliaCanada

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.