Google Threat Intelligence Group (GTIG) and Mandiant Consulting have jointly disrupted an espionage operation tied to UNC6508, a threat cluster assessed with high confidence to be aligned with People's Republic of China intelligence priorities. The campaign ran from at least September 2023 through November 2025, targeting organizations across the US and Canada whose combined research budgets run into the billions of dollars.
What happened
Attackers initially gained access by exploiting externally accessible REDCap servers — a web-based platform widely used in academic and clinical research for managing surveys and databases. GTIG was unable to confirm the precise exploitation method, but observed the group probing for legacy software versions left running alongside current installations, a permitted REDCap configuration that creates a downgrade-attack surface.
Three months after establishing a foothold, UNC6508 deployed a custom malware family called INFINITERED by trojanizing legitimate REDCap system files. The malware operates across three components: a dropper that intercepts REDCap's own upgrade process to reinject malicious code into each new version, a credential harvester that captures POST-submitted login data and stores it encrypted inside a legitimate database table, and a backdoor that activates via a specially crafted HTTP cookie named REDCAP-TOKEN. INFINITERED can execute shell commands, run arbitrary SQL queries, transfer files, and beacon system details including database credentials back to the operator.
More than a year after the initial breach, the group replayed harvested credentials to access a domain administrator account, then created a content compliance rule — a standard feature in cloud productivity suites — named "Patroit" (the misspelling appears in the original rule). The rule used regular expressions to match emails containing keywords tied to geopolitical, military, medical, and technology topics, silently BCC-forwarding matches to a threat-actor-controlled Gmail address. GTIG subsequently disabled that account.
- Earliest confirmed compromise: September 2023; activity observed through November 2025
- Targets included clinical providers, academic centers, military health bodies, and health regulators in the US and Canada
- INFINITERED persisted across REDCap upgrades for more than a year before detection
- Exfiltration routed through US-based obfuscation networks using compromised routers and residential proxies
- Compliance rule keyword list included the specific pathogen Chikungunya, which caused a 2025 outbreak in China's Guangdong province
Why it matters
The use of email compliance rules for covert data exfiltration marks a tactic not previously documented among PRC-linked actors, according to GTIG. By abusing a legitimate administrative feature rather than deploying additional tooling, UNC6508 avoided triggering security controls that focus on anomalous software behavior. The group also maintained operational security by routing all activity through US-hosted infrastructure — compromised consumer routers, residential proxies, and VPS nodes — making geographic attribution harder for defenders relying on IP geolocation.
The breadth of collection interests documented in the "Patroit" rule suggests UNC6508's actual target list may extend well beyond the institutions GTIG was able to identify. Intelligence priorities reflected in the keyword patterns include Indo-Pacific military posture, uncrewed vehicle programs, offensive cyber capabilities, and medical research — areas consistent with documented PRC state-sponsored collection requirements.
What to watch
GTIG has pushed indicators of compromise and detections into Google Security Operations and published YARA rules for identifying INFINITERED on REDCap servers. Organizations running REDCap should treat any legacy software version left in place as an active risk surface and prioritize removal alongside patching. The group recommends phishing-resistant two-step verification on all administrator accounts, enforcement of Device Bound Session Credentials on sensitive Windows endpoints, and a manual audit of existing email compliance rules for unauthorized modifications.
The specific inclusion of Chikungunya-related terms in the exfiltration keyword list, timed against a real outbreak in China, points to an actor with current operational tasking rather than one operating from a static collection template — a detail defenders tracking PRC health-related espionage should factor into threat modeling.
For professionals: Audit all content compliance or mail-routing rules in your cloud productivity tenant immediately — this vector requires no malware on end-user devices and leaves minimal logs by default. Ensure REDCap deployments run only the current version, with legacy installations fully removed, and scan web-accessible servers using the YARA rule GTIG has published.
Automated pipeline · Security
Synthesized from 1 industry feed on 15 Jun 2026. Passed independent editor verification before publication. Style guide v1.2.
Sources
Decision trail
- Checking for duplicates — Deduped batch of 1 candidates
- Checking for duplicates — New story New threat actor campaign (UNC6508) targeting medical and military research community; distinct from prior ShinyHunters/UNC6240 PeopleSoft campaign.
- Writing the article — Draft created article_id=51 slug=china-linked-hackers-spent-over-a-year-inside-us-medical-research-networks
-
Editor review — Approved
- Factual grounding: Minor: The article states UNC6508 'replayed harvested credentials to access a domain administrator account.' The source says 'UNC6508 used overlapping credentials, harvested from REDCap, to access an administrator account' — the source does not specify 'domain administrator.' This is a minor overspecification not directly supported by the source text.
- Factual grounding: Minor: The article describes Mandiant Consulting as jointly disrupting the campaign. The source says GTIG 'disrupted the malicious infrastructure' and 'Working with Mandiant Consulting, we notified the affected organizations.' Mandiant's role was notification and remediation assistance, not co-disruption — a slight misattribution but minor.
- Factual grounding: Minor: The article says the Chikungunya outbreak was in 'China's Guangdong province.' The source says 'an outbreak in China's Guangdong province beginning in July 2025.' The article omits the July 2025 start date but does not contradict it — omission only.
- No copied phrasing: Minor: 'a novel technique not previously documented among PRC-linked actors' closely echoes the source's 'a novel technique not previously observed with PRC-nexus threat actors.' Sentence structure and most words are identical
- this is close paraphrasing rather than full independent rewriting.
- Style compliance: Minor: Body word count appears to be approximately 720-730 words, which exceeds the 620-word target and approaches the 750-word hard maximum. Editors should verify exact count before publication.
- Assigning hero image — Pexels pexels_id=5380618
- Linking related stories — Linked 5 relations from 34 candidates
- Publishing — Published china-linked-hackers-spent-over-a-year-inside-us-medical-research-networks
Discussion · coming soon
Be the first to join the thread when community discussion launches.