Redjuliett

RedJuliett, a Chinese state-sponsored threat actor group, has been identified as the perpetrator behind persistent espionage attacks on approximately 75 organizations since 2023. These organizations span multiple sectors including government, academic, and technology across various countries. The group is believed to be under the control of the China-linked APT group Flax Typhoon, also known as Ethereal Panda. RedJuliett leverages an open-source VPN client, SoftEther, to target these organizations' infrastructures. In Taiwan, RedJuliett has launched a series of attacks against 24 different entities such as government agencies, educational institutions, and technology firms. This includes an optoelectronics company, a facial recognition company, a waste and pollution treatment company, a publishing house, three universities, and four software companies. These attacks occurred between November 2023 and April 2024, aligning with Beijing's objectives to gather intelligence on Taiwan’s economic policy, trade, and diplomatic relations. According to the Insikt Group, the threat research arm of Recorded Future, it is anticipated that RedJuliett and other Chinese state-sponsored threat actors will continue to target Taiwan for intelligence-gathering purposes, focusing particularly on universities, government organizations, think tanks, and technology companies. To administer its operational infrastructure, RedJuliett uses the SoftEther VPN, leveraging both threat actor-controlled leased servers and compromised infrastructure belonging to Taiwanese universities. Monitoring Malicious Traffic Analysis (MTA) can aid in proactively detecting and alerting on infrastructure communicating with known RedJuliett command-and-control (C2) IP addresses.