A likely China-linked state-sponsored threat actor has been connected to a cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan from November 2023 to April 2024. Recorded Future’s Insikt Group, tracking this activity under the name RedJuliett, describes it as a cluster operating from Fuzhou, China, to support Beijing’s intelligence collection goals in East Asia. It is also known as Flax Typhoon and Ethereal Panda.
The adversarial group has also targeted organizations in Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the U.S. Overall, 24 victim organizations have been observed communicating with the threat actor’s infrastructure, including government agencies in Taiwan, Laos, Kenya, and Rwanda. The group is estimated to have targeted at least 75 Taiwanese entities for broader reconnaissance and follow-on exploitation.
RedJuliett primarily gains initial access by targeting internet-facing appliances such as firewalls, load balancers, and enterprise VPN products, employing SQL injection and directory traversal exploits against web and SQL applications, according to a new report by Recorded Future.
Previously documented by CrowdStrike and Microsoft, RedJuliett is known to use the open-source software SoftEther to tunnel malicious traffic out of victim networks and leverage living-off-the-land (LotL) techniques to remain undetected. The group has been active since at least mid-2021.
Recorded Future noted that RedJuliett uses SoftEther to manage operational infrastructure, including both threat actor-controlled servers leased from VPS providers and compromised infrastructure from three Taiwanese universities. After initial access, the group deploys the China Chopper web shell to maintain persistence, along with other open-source web shells like devilzShell, AntSword, and Godzilla. Some instances involved exploiting a Linux privilege escalation vulnerability known as Dirty Cow (CVE-2016-5195).
RedJuliett is likely interested in collecting intelligence on Taiwan’s economic policy and trade and diplomatic relations with other countries. The group, like many other Chinese threat actors, targets vulnerabilities in internet-facing devices due to their limited visibility and security solutions, proving to be an effective method for scaling initial access.
