A suspected Chinese state-sponsored cyber-espionage group, tracked as ‘RedJuliett,’ has been targeting government, academic, technology, and diplomatic entities in Taiwan since at least November 2023, a new report from Recorded Future's Insikt Group revealed.

RedJuliett has exploited known vulnerabilities in network edge devices, such as firewalls, virtual private networks (VPNs), and load balancers, to gain initial access to their targets. RedJuliett is believed to operate from Fuzhou, China, the researchers said.

In addition to Taiwan, RedJuliett has expanded its operations to compromise organizations in Hong Kong, Malaysia, Laos, South Korea, the United States, Djibouti, Kenya, and Rwanda. The group’s cyber-espionage tactics have affected a broad spectrum of sectors in these regions, with 24 organizations confirmed to be compromised, including government bodies in Taiwan, Laos, Kenya, and Rwanda.

Furthermore, RedJuliett has conducted network reconnaissance and attempted exploitation against over 70 academic, government, think tank, and technology organizations in Taiwan, including several embassies.

RedJuliett’s attack tactics involve exploiting vulnerabilities in internet-facing devices and employing techniques such as Structured Query Language (SQL) injection and directory traversal exploits against web and SQL applications. The group’s initial access methods include the deployment of the China Chopper web shell to maintain persistence, along with other open-source web shells like devilzShell, AntSword, and Godzilla. Additionally, RedJuliett has been observed exploiting a Linux privilege escalation vulnerability known as Dirty Cow (CVE-2016-5195).

The group uses sophisticated tools, including Acunetix Web Application Security Scanners, for reconnaissance and attempted exploitation activities. After gaining initial access, RedJuliett often creates a SoftEther VPN bridge or client within the victim networks, allowing them to maintain a foothold and manage operational infrastructure through a mix of leased servers and compromised systems, notably from Taiwanese universities.