bleepingcomputer.com web signal

UNC6508 Breaches REDCap Servers, Exfiltrates via Gmail

cybersecurity china ai military ai-security china-threat espionage

Key insights

  • UNC6508 accessed a North American medical institution via exposed REDCap servers in September 2023, remaining undetected for over a year.
  • The InfiniteRed backdoor used three components: a persistence module, a credential harvester on login pages, and an HTTP-cookie command channel.
  • A Google Workspace content compliance rule named Patroit silently blind-copied targeted emails to an attacker Gmail account covering medical and military keywords.

Why this matters

Google Threat Intelligence Group's attribution of UNC6508 confirms that China-linked groups are actively targeting medical research institutions as intelligence priorities, not just defense and tech contractors. The abuse of Google Workspace's content compliance rules is a novel exfiltration vector: legitimate SaaS mail-routing features forwarded sensitive communications silently for over a year without triggering conventional endpoint or network detection. Any organization running REDCap, a widely used platform for clinical trials and academic research, must treat this as a direct threat model and audit both their REDCap deployment version and their Google Workspace compliance rule configurations immediately.

Summary

UNC6508, a China-linked espionage cluster, spent more than two years inside a North American medical institution after breaching exposed REDCap servers in September 2023, with malicious activity running through November 2025. The group deployed InfiniteRed, a three-component backdoor, three months after gaining initial access, concealing it by trojanizing system files. InfiniteRed harvested credentials from REDCap login pages and received attacker commands via HTTP cookies, enabling shell execution, file transfers, and SQL queries against the compromised environment. Essentially: (UNC6508, Google Threat Intelligence Group) China-linked espionage sitting inside medical research infrastructure, surfaced by Google researchers. - UNC6508 created a Google Workspace content compliance rule named "Patroit" to silently blind-copy matching emails to an attacker-controlled Gmail account, now disabled. - Scanned keywords covered medical research, advanced technology, military topics, and geo-strategic policy. - Undetected for over a year, the operation shows how legitimate SaaS compliance features can be turned into silent, long-horizon exfiltration pipelines.

Potential risks and opportunities

Risks

  • Other North American institutions running unpatched or legacy REDCap deployments face the same initial-access vector UNC6508 exploited starting September 2023
  • Google Workspace customers in research and defense sectors may have unaudited content compliance rules similar to Patroit still actively forwarding sensitive communications to external accounts
  • Harvested REDCap login credentials could enable follow-on access to linked clinical trial databases or health record systems, amplifying both research IP and patient data exposure

Opportunities

  • Academic and medical IT security teams gain immediate leverage to mandate MFA on high-privilege accounts and accelerate REDCap upgrade cycles, citing this named-group disclosure
  • Google Workspace security auditing providers (Abnormal Security, Valimail) can offer targeted scans for unauthorized content compliance rules at research and defense organizations facing new scrutiny
  • Identity vendors supporting Device Bound Session Credentials, explicitly named as a recommended mitigation by Google Threat Intelligence Group, see a near-term procurement cycle opening in higher-ed and medical research markets

What we don't know yet

  • How many institutions beyond the single confirmed North American medical site were targeted or breached by UNC6508 using the same exposed-REDCap initial access vector
  • What volume and category of research data was exfiltrated over the two-plus-year intrusion, and whether it has already informed adversary programs or publications
  • Whether REDCap's maintainers have issued an official security advisory or coordinated a patch response in the wake of Google Threat Intelligence Group's disclosure

Originally reported by bleepingcomputer.com

Read the original article →

Original headline: Chinese Espionage Group UNC6508 Spent Two Years Inside North American Medical and Military Research Networks via REDCap Backdoor, Abusing Google Workspace for Silent Exfiltration