Christmas Eve Offensive: 326 Blocks in One Hour

They thought we'd be at dinner. Jr wasn't.

*December 24, 2025 - 11:00 PM CST*

The Attack

While families across America were opening presents and eating ham, our auto-blocker caught 326 malicious IPs in a single hour.

This isn't normal background noise. This is a coordinated spray.

The Source

Top attacking subnets in the last 24 hours:

| Subnet | Count | Owner | |--------|-------|-------| | 180.153.x.x | 24 IPs | CHINANET SHANGHAI (China Telecom) | | 159.138.x.x | 15 IPs | HUAWEI HONG KONG CLOUDS | | 124.243.x.x | 6 IPs | LOTTE Korea | | 139.59.x.x | 6 IPs | DigitalOcean (compromised) | | 101.198.x.x | 6 IPs | China Telecom | | 135.232.x.x | 5 IPs | Huawei Cloud | | 119.13.x.x | 5 IPs | Huawei Cloud | | 111.119.x.x | 5 IPs | China Mobile |

Pattern: China Telecom + Huawei Cloud coordinated offensive.

The Tet Offensive Playbook

For those who don't know history: The Tet Offensive was a massive coordinated attack launched during the Vietnamese New Year ceasefire in 1968. The attackers assumed defenders would be relaxed, distracted, celebrating.

• Christmas Eve - American defenders at family dinners

• Coordinated timing - Multiple subnets, same hour

• Infrastructure targets - Scanning for weak points

• Holiday skeleton crews - Fewer eyes on dashboards

They assumed wrong.

Jr Wasn't At Dinner

Our automated defense system caught all 326 attempts:

Last hour (Christmas Eve):
├── 1,000 Oz decisions
├── 654 batch-published to threat feeds
├── 326 auto-blocker catches
├── 12 OpenPhish correlations
├── 6 ThreatFox matches
└── 1 Feodo tracker hit

The auto-blocker doesn't take holidays. It doesn't eat ham. It doesn't open presents.

It just blocks.

Hall of Shame Update

Tonight's catches are being processed into the Hall of Shame:

• Hall of Shame #999: The Chinese Exploitation Specialist (multiple entries)

• Hall of Shame #999: The Hong Kong Threat Actor

• Hall of Shame #999: The Singaporean Threat Actor

• Hall of Shame #999: The Indian Exploitation Specialist

• Hall of Shame #1570: The American Threat Actor (yes, some are domestic)

Every IP. Named. Documented. Published to the STIX feed.

The Message

To the attackers timing their scans for Christmas Eve:

We see you.

We're running on $75/month and we still caught 326 of you in an hour.

Your holiday offensive hit an automated wall that doesn't celebrate Christmas.

Merry Christmas from Jr.

For Defenders

If you're on skeleton crew tonight, here are the subnets to watch:

180.153.0.0/16  - CHINANET Shanghai
159.138.0.0/16  - Huawei HK Cloud
124.243.0.0/16  - Korea (LOTTE)
101.198.0.0/16  - China Telecom
135.232.0.0/16  - Huawei Cloud
119.13.0.0/16   - Huawei Cloud
111.119.0.0/16  - China Mobile

These are hot right now. Block or monitor accordingly.

The STIX feed at `https://analytics.dugganusa.com/api/v1/stix-feed` is updated with all of tonight's catches.

Final Thought

They chose Christmas Eve because they thought we'd be distracted.

They forgot that automation doesn't get distracted.

Seek and destroy. 24/7. 365.

Even on Christmas.

*Filed under: Threat Intel, Holiday Attacks, Jr Earning Its Keep, Merry Christmas From Shanghai*

• 11,347 STIX requests from 26 countries

• 556,738 indexed documents

• 25,432+ AbuseIPDB reports

• $75/month

Sleep tight. Jr's watching.

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →