More of the same:
43.130.224.0 - 43.130.255.255
43.130.224.0/19

43.133.0.0 - 43.133.31.255
43.133.0.0/19

43.134.64.0 - 43.134.127.255
43.134.64.0/18

43.152.0.0 - 43.159.255.255
43.159.63.0/24

43.156.0.0 - 43.156.255.255
43.156.128.0/18

43.157.192.0 - 43.157.255.255
43.157.250.0/24

43.165.64.0 - 43.165.127.255
43.165.0.0/17

43.160.0.0 - 43.175.255.255
43.166.1.0/24
Complete range: 43.160.0.0/12

43.166.224.0 - 43.166.255.255
43.166.128.0/17

129.226.0.0 - 129.226.255.255
129.226.0.0/16

162.62.208.0 - 162.62.239.255
162.62.0.0/16

Their ASN is AS132203

Oops, I left one out (first seen in April 2025):

43.158.0.0 - 43.158.127.255
43.158.91.0/24

As mentioned here: [webmasterworld.com...]

I've noticed that some of the WHOIS info for a particular Singapore server farm is not completely accurate, sometimes the CIDR doesn't fit the ranges.

Two more in the past few days:

43.157.0.0 - 43.157.127.255
43.157.50.0/24

43.158.0.0 - 43.158.127.255
43.158.91.0/24

Some months ago I began blocking the entire 43.0.0.0/8 range because there were so many scrapers operating from IP addresses scattereed within that range. I doubt that any of my intended audience would visit from addresses there, so there seemed to be nothing to lose.

I'm just about to block all the RIPE ranges as well... so many hack attempts 93.0.0.0/8

Just took a look at the 93.0.0.0/8 range based on the numbers of websites hosted. One Turkish class C (/24) has 118,743 websites. There were 6266 class Cs with websites hosted in the August 2025 survey. It may be that the problem activity is more concentrated in hosting ranges.

Aceville has been a problem for quite some time. There does seem to be a Tencent connection. Most of its IP ranges are designated as SG but there are also US, HK, DE, JP, KR, ID, FR, GB, BR, IN and TH ranges so blocking purely on Singaporean ranges might not be effective. It also has ranges outside of 43.0.0.0/8.

Regards...jmcc

I had a web hit recently that on first glance looked totally legit. It was only my landing page but it requested all the correct files, even favicon. Two odd things about it - user-agent had an older version of chrome (134) and there was no referer. I traced the IP to this: AS139341 ACE

That didn't look familiar, something to do with Singapore. Or Netherlands. Spur said it wasn't a proxy, abused IP DB had nothing on the IP - but it did say the ISP was ACEVILLE PTE. Ah, that's where ACE comes from. And I remember there was a thread here about ACEVILLE.

I was already IP-blocking a good chunk of AS139341, maybe because of overlap with other AS ranges, so now I've closed that door.

Some info about Aceville:

=====================
ICANN sends breach notice to registrar for shirking DNS abuse requirements
September 23, 2024

While Aceville might not be a household name, it’s part of the large Chinese conglomerate Tencent. Aceville does business as DNSPod at DNSPod dot com. Adding to the confusion, Tencent also owns a registrar called DNSPod, Inc., which offers services at DNSPod dot cn. Aceville had about 80,000 .com domains under management as of May, while DNSPod, Inc. had over 500,000. This complaint is specifically for Aceville, or DNSPod dot com.

ICANN said Aceville breached five parts of its accreditation agreement, primarily for shirking its duty to handle DNS abuse complaints. Aceville has also failed to implement Registration Data Access Protocol (RDAP). Aceville has until October 11 to cure the breaches.