A sophisticated cyber-espionage campaign attributed to a Chinese state-sponsored group has been targeting medical, academic, and military research institutions in North America. The campaign, active from September 2023 through November 2025, remained undetected for over a year. Google’s Threat Intelligence Group (GTIG) has identified the threat actor as UNC6508, aligning their activities with the strategic interests of the Chinese government.
Exploitation of REDCap Servers
The attackers initiated their intrusion by exploiting vulnerabilities in externally facing REDCap (Research Electronic Data Capture) servers. REDCap is a widely used web-based platform in the medical and scientific research communities across North America. UNC6508 specifically targeted legacy, unpatched versions of REDCap running alongside current installations, employing a downgrade attack to gain initial access.
Upon breaching the servers, the group deployed a web shell named ‘help.php’ to perform internal reconnaissance and harvest database and service account credentials. Three months post-initial compromise, they introduced INFINITERED, a sophisticated modular malware designed to trojanize legitimate REDCap system files.
INFINITERED Malware Components
INFINITERED comprises three key components:
- Dropper/Upgrade Interceptor: Injects malicious code into new REDCap upgrade packages, ensuring persistence even after software updates.
- Credential Harvester: Captures plaintext usernames and passwords from POST login requests, encrypts them, and covertly stores them in the REDCap sessions database.
- Backdoor with Command and Control (C2): Activates on every REDCap page load, listens for a specific HTTP Cookie parameter, and supports commands including remote shell execution, SQL queries, file upload/download, and system beaconing.
INFINITERED was discovered across multiple organizations in both the US and Canada. After more than a year of undetected access, UNC6508 escalated their operations by using harvested credentials to access domain administrator accounts. They then abused content compliance rules, a legitimate Google Workspace feature, to silently BCC-forward sensitive emails to an attacker-controlled Gmail account. The rule, named ‘Patroit’ (a misspelling of ‘Patriot’), used regular expressions to match nearly 150 keywords spanning military strategy, AI research, cyber programs, and medical topics.
This technique of using domain content compliance rules for data exfiltration had never previously been observed from a PRC-nexus actor. One keyword of note was ‘Chikungunya,’ the mosquito-borne virus responsible for a July 2025 outbreak in China.
The exploitation of REDCap servers by UNC6508 underscores the critical need for organizations to maintain up-to-date software and implement robust security measures. The attackers’ ability to remain undetected for over a year highlights the sophistication of their methods and the importance of continuous monitoring and threat intelligence sharing among institutions.
