Handle: 25.0.0.0 - 25.255.255.255
Lol, must be nice owning an ipv4 /8 block.
(I know, it’s RIPE, totally explainable. My whois query lists RegDate: 1985-01-28 btw. Fun.)
Anyhoo, ideas that come to mind: cold be the result some round-robin DNS, maybe DNS-Over-HTTPS? NTP (though that would probably use UDP)?
If you catch the event while it is happening, try (on the phone):
devel-su netstat -anp | grep [source port]
Which should gives you the process that owns the connection.
(Or if you want to be fancy about it, use the ss tool instead of netstat.)
devel-su ss -plants dst = 25.0.0.0/8
devel-su ss -plants dport = :47600
devel-su ss -plants dport = :8799
...