Between November 2023 and April 2024, researchers observed RedJuliett, a likely Chinese state-sponsored cyber-espionage group, targeting entities primarily in Taiwan but also across Asia, Africa, and the US. The focus was on sectors such as government, education, technology, and diplomacy. RedJuliett utilized various methods, including exploiting internet-facing devices and vulnerabilities in web applications, to infiltrate and gather intelligence from these organizations.
RedJuliett executed extensive reconnaissance and exploitation, particularly focusing on Taiwan but also targeting other regions including Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the U.S. The group exploited vulnerabilities in internet-facing devices such as firewalls, load balancers, and VPN products, and conducted SQL injection and directory traversal attacks against web and SQL applications. Utilizing SoftEther VPN for post-exploitation activities, RedJuliett deployed open-source web shells and exploited known vulnerabilities such as the Linux DirtyCow. The operations, traced back to IP addresses in Fuzhou, Fujian province, China, suggest a strategic emphasis on Taiwan, facilitated by tools like China Chopper, devilzShell, AntSword, and Godzilla web shells for maintaining persistence. Active since mid-2021, RedJuliett's methods also include living-off-the-land (LotL) techniques to evade detection.