Do Son 
INFINITERED diagram | Image: Google
At a Glance
- Actor: UNC6508 (suspected PRC-nexus threat actor)
- Activity Type: Cyber espionage, bespoke malware deployment, data exfiltration
- Targets: North American academic, medical, and military research organizations
- Scale: Undetected access for over a year; compromised highly sensitive defense and medical data
- Law Enforcement Status: Infrastructure disrupted by Google Threat Intelligence Group
- Source: Google Threat Intelligence Group (GTIG)
TL;DR
Google Threat Intelligence Group recently identified a massive UNC6508 cyber espionage campaign. The suspected China-nexus threat actor targeted North American institutions. They deployed custom INFINITERED malware to steal sensitive national security and medical research data.
What Happened
The attackers compromised externally facing REDCap web applications. REDCap serves as a common platform for managing medical and scientific research databases. By design, REDCap allows administrators to run legacy software alongside current versions. The attackers probed for these vulnerable legacy versions to gain initial access.
Upon gaining access, the intruders installed custom INFINITERED malware. This tool captured legitimate user login credentials. It intercepted software upgrades to inject malicious code into new REDCap versions. The credential harvester component hid stolen passwords inside a local database table. Meanwhile, the backdoor component established a global hook that ran on every page load.
The malware acts as a beacon when the command payload remains empty. It returns system details such as the operating system and PHP version. It also steals database credentials. When the payload contains data, the malware parses specific command tags. For example, the tag ’00’ executes arbitrary system commands. The tag ’02’ uploads files to the server. The tag ’05’ executes arbitrary SQL queries against the internal database.
The hackers waited undetected for over a year. Then, they used the stolen credentials to enter internal networks. They also abused domain content compliance rules. This novel technique silently forwarded matched emails to a threat actor-controlled Gmail account. GTIG stated, “The use of compliance rules for data exfiltration is a novel technique not previously observed with PRC-nexus threat actors.” Specifically, UNC6508 created a compliance rule named “Patroit”. This rule used regular expressions to match specific text patterns. It targeted professional email addresses and phone numbers. The attackers matched keywords related to defense, foreign policy, and specific pathogens. GTIG quickly disabled the Gmail account to stop the data theft.
Who Is Behind It
GTIG attributes this campaign to UNC6508 with high confidence. Researchers suspect UNC6508 operates as a People’s Republic of China-nexus threat actor. They assess this group represents an espionage-motivated cluster. Their goals match historic Chinese state-sponsored espionage trends.
The hackers used complex operations security techniques. They routed traffic through hijacked internet-of-things devices and small office routers. This network of devices obscured their true origin. They also used mass-created accounts for their exfiltration operations. By maintaining strict operational security, UNC6508 made tracking very difficult for network defenders.
Impact or Scale
The UNC6508 cyber espionage campaign targeted high-value national, state, and private medical entities. These victims comprise world-renowned clinical providers and premier academic centers. They employ thousands of staff. They manage billions of dollars in research funding.
UNC6508 sought highly sensitive defense intelligence. They collected data on Indo-Pacific command operations, artificial intelligence, and uncrewed vehicle systems. They also targeted cyber offensive research programs. Furthermore, they stole critical medical intelligence. The group specifically targeted information on the Chikungunya virus. This mosquito-borne disease caused a massive outbreak in China’s Guangdong province beginning in July 2025. By exfiltrating this data, the attackers compromised significant North American research efforts.
What Comes Next
Defenders must implement strict security measures across all cloud platforms immediately. Organizations should secure their REDCap servers by applying the latest software patches. Administrators must completely remove older, vulnerable software versions. Obsolete versions pose a severe downgrade risk to network security.
Experts recommend enforcing phishing-resistant two-step verification for all administrator accounts. Highly sensitive accounts should use device-bound session credentials. Security teams should regularly audit content compliance rules for unauthorized changes. You can read the full advisory on how the PRC targets US medical research to understand the complete attack chain.
Google updated their Security Operations platform with relevant intelligence. This enables defenders to identify indicators of compromise within their networks. Security teams should scan REDCap servers for the presence of INFINITERED malware using YARA rules. Administrators should also use Chrome Enterprise Password Leak Detection. Finally, employing strong passwords and monitoring system logs will help prevent future compromises.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
