It would stand to reason. China has the largest number of endpoints, and thus is most likely to have the largest number of compromised hosts. I take it you've ruled out the possibility this is a geographically diverse spread of actors taking advantage of poor security practices on the large swaths of Chinese infrastructure in your logs?