# Threat Intelligence Briefing: 221.207.54.125
Classification: Moderate Risk | Severity: Medium | Status: Active Monitoring
## Executive Summary
IP address 221.207.54.125 is a mobile carrier endpoint associated with China Unicom (ASN 4837, network UNICOM-QH) originating from the 221.207.0.0/18 block in P.R.China. The address carries a risk score of 65 and is currently listed on 3 out of 8 DNSBLs. While the address itself shows no open services or active campaigns, neighborhood analysis indicates one threat sibling within the /24 subnet. The IP exhibits firewalled behavior with no services exposed, suggesting it may be used for outbound connections only or represents a dormant endpoint.
## Technical Profile
| Attribute | Value |
|---|---|
| **Risk Score** | 65 (Moderate Risk) |
| **ASN** | 4837 (ChinaUnicom Hostmaster) |
| **Network** | UNICOM-QH |
| **Geolocation** | P.R.China (CN) |
| **Connection Type** | Mobile (LTE/5G) |
| **Provider** | China Unicom (China United Network Communications) |
| **Mobile MCC/MNC** | 460/01 |
| **DNSBL Listings** | 3/8 (Operator score: 0.1304) |
## Threat Indicators
- Known Attacker: No | Spam Source: No | Tor Exit Node: No
- Campaign Affiliation: None identified
- Historical Listings: Multiple blacklist listings observed with maximum severity rating "high"
- Recent Activity: Blacklist activity recorded on 2026-06-18 (8 total listings)
## Network Context
Subnet Analysis (221.207.54.0/24):
- Abuse Density: Low-to-moderate
- Threat Siblings: 1 identified
- Classification: Mostly clean
- Active Siblings: 0
Relationship Mapping:
- 12 relationships identified, all referencing the same network (UNICOM-QH)
- No associations with known malicious organizations, certificates, or external domains
## Observed Behavior
Service Status: No open ports detected. Address classified as "Firewalled / No Services."
Historical Timeline:
- 15 total observations recorded
- Most recent signal: 2026-06-18 (blacklist listings, geolocation inference)
- Connection type classification has remained consistent (mobile carrier endpoint)
## Recommended Actions
1. Block at Network Perimeter: Implement DROP policy for inbound connections from this IP
2. Monitor for Outbound Activity: If this IP appears in logs as a destination, investigate for data exfiltration patterns
3. Correlate with Threat Siblings: Investigate the one threat sibling within the /24 subnet for additional context
4. DNSBL Whitelist Review: Address may have been falsely listed; verify reputation with additional sources if traffic is legitimate
## Risk Assessment
This IP represents a moderate risk endpoint. The combination of mobile carrier attribution, blacklist listings, and neighborhood threat presence warrants defensive blocking. However, the lack of open services and campaigns suggests limited active threat potential. Continuous monitoring is recommended to detect any behavioral changes or new threat associations.
---
*Intelligence generated from IPDebrief analysis. Data accuracy based on available signals and historical observations.*
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | ChinaUnicom Hostmaster |
| ASN | AS4837 |
| Network Name | UNICOM-QH |
| CIDR Block | 221.207.0.0/18 |
| RIR | APNIC |
| Country | CN |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
๐ DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Mobile |
| Service Purpose | Firewalled / No Services |
| Network Tier | Unknown โ Insufficient routing data to classify |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 30% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 8% | 1 | 1 |
| ownership | 27% | 2 | 3 |
| reputation | 24% | 1 | 3 |
| geolocation | 21% | 2 | 2 |
| Overall | 20% | 9 | 13 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:04:13 UTC |
| Last Seen | 2026-06-23 08:48:14 UTC |
| Profile Built | 2026-06-23 08:53:36 UTC |
| Data Freshness | Live |
| Signal Types | 16 |
| Total Observations | 17 |
Full dossier details are available via our API.