Google’s Threat Intelligence Group has exposed a prolonged cyber-espionage campaign orchestrated by a Chinese-linked group, targeting medical, academic, and military research entities in North America. The operation remained undetected for over a year, posing significant risks to sensitive information.
UNC6508 and Its Espionage Goals
At the core of this campaign is UNC6508, a cyber group connected to the People’s Republic of China, according to GTIG. The group’s activities align with China’s strategic interests, including national defense intelligence, military operations in the Indo-Pacific, and advancements in artificial intelligence and medical research.
The initial breach dates back to September 2023, continuing without interruption until November 2025, demonstrating a focused and sustained effort by the attackers.
Exploiting REDCap Servers
The attackers gained initial access through REDCap servers, a platform extensively used by research institutions across North America. Although GTIG could not pinpoint the exact entry vector, UNC6508 was noted for exploiting outdated and unpatched REDCap versions, a strategy known as a downgrade attack.
Once inside, the group deployed a web shell named help.php, enabling them to conduct reconnaissance and extract database credentials. Subsequently, they introduced INFINITERED, a modular malware designed to compromise legitimate REDCap files.
Impact and Defensive Measures
INFINITERED’s presence was confirmed in multiple organizations within the US and Canada. The malware includes components for credential harvesting, persistent backdoor access, and data theft. This breach allowed UNC6508 to escalate privileges and exfiltrate sensitive emails using Google’s Workspace features.
In response, GTIG and Mandiant Consulting recommend several defensive actions. These include updating REDCap installations, implementing two-step verification for admin accounts, scanning for INFINITERED using YARA rules, and auditing email compliance rules for unauthorized configurations.
Conclusion and Future Outlook
This incident highlights the ongoing threat posed by state-sponsored cyber groups. The sophisticated methods employed by UNC6508 emphasize the need for enhanced cybersecurity measures in research institutions. Continued vigilance and proactive defense strategies are essential to safeguard critical data from similar threats in the future.
