A China-linked cyber espionage group, identified as UNC6508, infiltrated North American medical, academic, and military research networks over a period exceeding a year, exfiltrating sensitive research and defense-related emails. The attackers gained initial access by compromising externally facing REDCap servers—a web platform widely used by hospitals and universities for managing research databases.
Once inside, the group deployed a custom malware named INFINITERED, which trojanized REDCap’s system files. This malware facilitated persistent access by hijacking the platform’s upgrade process, ensuring that each new version reinjected the malicious code. Additionally, INFINITERED harvested login credentials from the REDCap login page and stored them in encrypted local database tables. It also functioned as a backdoor, executing commands through HTTP cookies upon each page load.
After establishing a foothold, UNC6508 conducted internal reconnaissance and credential harvesting, eventually escalating privileges to obtain domain administrator access. With these elevated rights, the attackers manipulated Google Workspace’s content compliance rules—a legitimate feature designed to scan emails for specific keywords and take predefined actions. They created a rule, notably misspelling “Patriot” as “Patroit,” which monitored nearly 150 keywords and email addresses. When an email matched these criteria, the system automatically BCC’d the message to an attacker-controlled Gmail account, effectively exfiltrating sensitive information without deploying additional malware on the mail server or generating unusual network traffic.
Google’s Threat Intelligence Group (GTIG) detailed this campaign in a recent report, attributing it with high confidence to UNC6508. The group and its REDCap backdoor were first identified by Google in February, during a broader analysis of state-sponsored attacks targeting the defense sector. The victims, while not named, included multiple organizations across the United States and Canada, encompassing clinical providers, academic centers, military health institutions, advocacy groups, and health regulators. Google has since notified the affected organizations and disrupted the group’s infrastructure.
This incident underscores the evolving tactics of state-sponsored cyber actors, who increasingly exploit legitimate administrative features within cloud services to conduct stealthy and effective data exfiltration. Organizations must remain vigilant, regularly auditing and monitoring the use of such features to detect and prevent unauthorized activities.
