IPMediumSignal 100/100
103.213.245.95
Location
Hong KongHong Kong, Kowloon
ASN
AS18254
Klayer LLC
First Seen
Feb 27, 2025
Last Seen
Nov 26, 2025
Found in 9 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryHong Kong
Hong KongRegionHong Kong, Kowloon
ASNAS18254
OrganizationKlayer LLC
Feed Intelligence Summary
9 reports99% confidence
9
Source reports
99%
Confidence score
Category tags
abuseaccount compromiseactive scanningaptapt groupasiaautomotive manufacturingbackdoorbeta versionbig game huntingbig-game huntingbodybotnetbrute forcebrute_forcebuttoncactuscertcisco securecivil servicesclosecloud c2cloud computingcloud migrationcloud securitycloud servicescloud services c2cloud services exploitationcloud storagecobalt strikecobaltstrikecode executioncode injectioncommand and controlcommand executioncommunication technologiescontactcookiecouriercredential accesscredential harvestingcredential stuffingcredential_accessctacyber espionage campaigndata accessdata copyingdata encryptiondata exfiltrationdata extortiondata leakdata leak sitedata theftdata transferdistributed attacksdll sideloadingdouble extortiondropbox c2electronics manufacturingenergyenergy distributioneuropeevoraexfiltrationextortionfileless malwarefindfooterformftpgermanygithubgithub iocsgovernment technologyhasheshkhong konghtranindicatorindustrial automationindustrial iotindustrial productioningress tool transferinitial accessinput validation bypassinterlockiocsjapanlateral movementlinklotus blossomlotus-blossommainmalicious downloadmalicious softwaremalwaremalware analysismalware distributionmanualmanufacturing technologymediametadata analysismetasploitmobile carriersmobile networksmulti-cloud managementmulti-stage attacknetworknetwork iocsnetwork probingnetwork securitynetwork traffic analysisnetwork_reconnaissancenorth americaoil & gasopenpath traversalpersistence mechanismpersistence mechanismsphilippinesphishingphishing attackphp-cgipolandpower generationpower systemsprocess injectionprocess manufacturingprotocol exploitationpublic administrationpublic infrastructurepublic policyquality controlransomwareratreconnaissanceregexpandsz dregulatory agenciesreloadremote accessremote access trojanremote servicesrenewable energyresearchedscriptservicedll tsmallsocial engineeringsocial media securityspanssh attackstarsupply chain managementsystem disruptiont1001t1003t1005t1016t1021t1021.001t1027t1030t1036t1040t1041t1049t1053t1055t1056t1059t1059.001t1059.005t1070t1071t1071.001t1076t1078t1078.001t1082t1083t1087t1090t1102t1105t1110t1110.002t1112t1113t1124t1132t1133t1134t1136t1140t1190t1204t1486t1490t1496t1499.001t1499.002t1499.003t1505t1518t1526t1543t1547t1550t1562t1563t1565t1566t1566.001t1566.002t1566.003t1569t1569.002t1571t1573t1574t1583t1584t1595t1595.001t1595.002t1595.003taiwantaowutargeting:japantelecom servicestelecommunicationstelnet threattetraloaderthreat spotlightthreatstop storytrojan malwarettpsturkeytwittertwitter c2united statesvenom proxyvietnamweb application exploitationworldwide secrets blogwritezimbrazimbra c2
Activity Timeline
Nov 26Nov 26
Threat Activity Heatmap
· Peak: 2025-11-26LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
9
Reports
First seenFeb 27, 2025
Last seenNov 26, 2025
GeolocationHK
CountryHong Kong
LocationHong Kong, Kowloon
ASNAS18254
OrgKlayer LLC
Coords22.3193, 114.1690
VirusTotal
Not checked
WHOIS
- description
- CC=HK ASN=AS18254 klayer llc
- raw
- inetnum: 103.213.245.0 - 103.213.245.255 netname: KLAY-AP descr: HongKong country: HK admin-c: KA228-AP tech-c: KA228-AP abuse-c: AK1102-AP status: ALLOCATED NON-PORTABLE mnt-by: MAINT-KLAY-AP mnt-irt: IRT-KLAY-AP last-modified: 2023-02-26T14:26:17Z source: APNIC irt: IRT-KLAY-AP address: Colocation in Asia e-mail: [email protected] abuse-mailbox: [email protected] admin-c: KA228-AP tech-c: KA228-AP auth: # Filtered remarks: [email protected] was validated on 2025-02-12 mnt-by: MAINT-KLAY-AP last-modified: 2025-02-12T06:01:10Z source: APNIC role: ABUSE KLAYAP country: ZZ address: Colocation in Asia phone: +000000000 e-mail: [email protected] admin-c: KA228-AP tech-c: KA228-AP nic-hdl: AK1102-AP remarks: Generated from irt object IRT-KLAY-AP remarks: [email protected] was validated on 2025-02-12 abuse-mailbox: [email protected] mnt-by: APNIC-ABUSE last-modified: 2025-02-12T06:01:25Z source: APNIC role: KLAYER administrator address: 1603 Capitol Ave Ste 310, Cheyenne WY 82001 country: US phone: +1-307-459-0992 e-mail: [email protected] admin-c: KA228-AP tech-c: KA228-AP nic-hdl: KA228-AP mnt-by: MAINT-KLAY-AP last-modified: 2016-10-20T01:32:54Z source: APNIC route: 103.213.245.0/24 origin: AS18254 descr: KLAYER LLC 1603 Capitol Ave Ste 310 mnt-by: MAINT-KLAY-AP last-modified: 2020-09-08T03:43:44Z source: APNIC route: 103.213.245.0/24 origin: AS55933 descr: KLAYER LLC 1603 Capitol Ave Ste 310 mnt-by: MAINT-KLAY-AP last-modified: 2024-12-30T07:39:02Z source: APNIC route: 103.213.245.0/24 origin: AS61414 descr: KLAYER LLC 1603 Capitol Ave Ste 310 mnt-by: MAINT-KLAY-AP last-modified: 2023-01-16T14:32:53Z source: APNIC route: 103.213.245.0/24 descr: KLAYER LLC descr: 1603 Capitol Ave Ste 310 origin: AS997 mnt-by: MAINT-KLAY-AP last-modified: 2022-08-02T11:07:37Z source: APNIC
- references
- https://blog.talosintelligence.com/lotus-blossom-espionage-group, https://blog.talosintelligence.com/lotus-blossom-espionage-group/, uat-6382.txt, pathwiper.txt, toymaker.txt, uat-5918.txt, iocs_gamaredon_remcos.txt, lotus-blossom-espionage-group.txt, new-persistent-attacks-japan.txt, online-marketplace-scams.txt, new-tornet-backdoor-campaign.txt, pathwiper (1).txt, https://github.com/Cisco-Talos/IOCs/blob/main/2025/02/lotus-blossom-espionage-group.txt
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 year ago · Last seen 6 months ago
Appeared in 9 threat reports