RedJuliett
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | China |
| Directly Linked Intrusion Sets | Ethereal Panda , Flax Typhoon |
RedJuliett is a likely Chinese state-sponsored cyber threat actor tracked by Recorded Future. primarily engaged in cyber-espionage activities targeting Taiwan. Active since at least mid-2021, the group has focused on government, academic, technology, and diplomatic sectors, with additional targeting observed in Hong Kong, Malaysia, South East Asia, the United States, and Africa. RedJuliett's operations align with Beijing's strategic objectives, particularly intelligence collection on Taiwan's economic policies, diplomatic relations, and critical technology sectors. The group is assessed to operate from Fuzhou, Fujian province, China, leveraging its geographical proximity to Taiwan to support its persistent targeting efforts.
RedJuliett employs a range of sophisticated tactics, techniques, and procedures (TTPs) to achieve its objectives. Initial access is often gained through exploiting vulnerabilities in internet-facing devices such as firewalls, VPNs, and load balancers. The group has also utilized SQL injection and directory traversal exploits against web and SQL applications. Post-exploitation activities include the deployment of open-source web shells, exploitation of privilege escalation vulnerabilities in Linux systems. RedJuliett's infrastructure includes both leased servers and compromised systems, such as those belonging to Taiwanese universities with use of the open-source VPN software SoftEther for operational infrastructure management.
The group's targeting patterns and technical capabilities underscore its focus on intelligence gathering to support China's policy-making on cross-strait relations and broader geopolitical objectives.
RedJuliett is assessed by RecordedFuture as overlapping with Flax Typhoon (Microsoft) and Ethereal Panda (CrowdStrike).
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
RedJuliett Threat Reports
Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation
This report by Recorded Future's Insikt Group details activity by RedJuliett between November 2023 and April 2024. RedJuliett, also known by ...
References
malpedia.caad.fkie.fraunhofer.de
https://malpedia.caad.fkie.fraunhofer.de/actor/redjuliettwww.recordedfuture.com
https://www.recordedfuture.com/research/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimetergo.recordedfuture.com
https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-0624.pdfMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1505.003 | Web Shell | Persistence |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1584 | Compromise Infrastructure | Resource Development |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1583.003 | Virtual Private Server | Resource Development |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1133 | External Remote Services | Initial Access, Persistence |