A sophisticated cyber espionage campaign linked to China infiltrated research, healthcare, academic, and military organizations across North America, remaining undetected for more than a year while stealing sensitive information and defense-related communications.
According to a recent report from Google’s Threat Intelligence Group (GTIG), the campaign has been attributed with high confidence to a threat cluster identified as UNC6508. The attackers gained access through compromised REDCap (Research Electronic Data Capture) servers and later leveraged built-in Google Workspace features to quietly collect targeted emails.
The threat actor and its custom malware, known as INFINITERED, were previously highlighted by Google in February during a broader assessment of state-sponsored attacks targeting the defense industry. While the affected organizations were not publicly named, the victims reportedly included healthcare providers, universities, military medical institutions, advocacy organizations, and regulatory agencies in the United States and Canada. Google stated that it alerted impacted entities and took action against the attackers’ infrastructure.
The attackers targeted externally accessible REDCap servers, a widely used platform that helps hospitals, research institutions, and universities manage study data and databases.
Although Google has not identified the precise method used to gain initial access, nor linked the activity to a specific vulnerability or CVE, investigators observed the group scanning older REDCap versions known to contain security weaknesses.
Roughly three months after breaching the servers, UNC6508 deployed INFINITERED, a customized malware strain designed to modify REDCap system files. The malware ensured long-term persistence by embedding itself into the platform’s update process, allowing malicious code to survive future software upgrades.
INFINITERED also captured usernames and passwords entered through REDCap login portals and stored the stolen credentials in encrypted form within local databases. Additionally, the malware functioned as a backdoor, accepting commands through HTTP cookies and executing them whenever users loaded web pages.
Researchers traced the earliest known compromise to September 2023, with malicious activity continuing through November 2025. After establishing a foothold, the attackers conducted network reconnaissance, collected database and service account credentials, and eventually escalated privileges to obtain domain administrator access.
Rather than deploying a separate data-exfiltration tool, the attackers exploited an existing Google Workspace administrative capability known as content compliance rules.
These rules are typically used by organizations to monitor emails for specific keywords and automatically apply actions such as forwarding or copying messages. UNC6508 created a malicious rule named “Patroit” that monitored nearly 150 keywords, email addresses, and search terms associated with its intelligence-gathering objectives.
Whenever an email matched the predefined criteria, Google Workspace automatically sent a hidden copy to an attacker-controlled Gmail account. Google has since disabled the account involved in the operation.
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: