"GTIG has identified a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community," Google Threat Intelligence Group wrote in its advisory.
How UNC6508 gained a foothold through REDCap and delivered INFINITERED
According to GTIG's analysis, the intrusion sequence began with exploitation of externally facing REDCap servers; the earliest known compromise occurred in September 2023 and related activity continued through November 2025. GTIG observed the actor probe for vulnerable legacy REDCap installations and, on at least one occasion, deploy a web shell named help.php to maintain persistence and enable file uploads. The intruder performed internal reconnaissance and harvested database and service-account credentials.
Three months after initial access, the adversary deployed a bespoke malware family GTIG calls INFINITERED. The malware trojanizes legitimate REDCap system files in three components: a dropper that intercepts and injects code into upgrades, a credential harvester that records usernames and passwords submitted via POST and hides them in the REDCap sessions database with the prefix "xc32038474a", and a backdoor that listens for commands delivered in a cookie named "REDCAP-TOKEN." INFINITERED persists across upgrades by reading the current package, extracting malicious logic using the GUID delimiter b49e334d-9c01-463e-9bc5-00a6920fb66e, and injecting backdoor and harvester code into the update package.
How a compliance rule called "Patroit" turned administration features into an exfiltration channel
More than a year after initial compromise, UNC6508 escalated access to an administrator account using credentials harvested from REDCap and then abused domain content compliance rules to siphon email. GTIG documents that the actor created a compliance rule named "Patroit" which used regular expressions to match keywords, phrases and email-address patterns; matched messages were silently BCC-forwarded to a Gmail address controlled by the actor — BebitaBarefoot774[@]gmail[.]com. GTIG disabled that Gmail account to stop further exfiltration.
The collection patterns encoded in the rule targeted geo-strategic policy, military strategy, advanced technology and medical research. GTIG highlights a scope that includes defense intelligence related to Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and specific medical research topics such as the pathogen Chikungunya.
Operations security and the infrastructure footprint
GTIG observed meticulous OpSec. UNC6508 routed traffic through so-called OBF (obfuscation) networks composed of compromised routers, residential proxies, VPS instances and similar devices. The advisory notes the actor used exclusively U.S.-based OBF IPs when creating and using the actor-controlled Gmail account and when replaying captured credentials to access the compromised administrator account. One network indicator tied the source of an admin login to 23.169.65.49, which GTIG labels a compromised ASUS router.
The report also documents use of a mass-creation service to obtain the Gmail account and the actor’s preference for dedicating that account specifically to continuous, automated email exfiltration — a technique GTIG characterizes as complicating attribution and defensive response.
What this means for technologists, policymakers, and medical research institutions
- Technologists and security teams: The campaign demonstrates how a web application used for regulated research can be weaponized end-to-end — from credential capture to long-term persistence and covert exfiltration. GTIG provides a YARA detection rule and file IOCs for INFINITERED and emphasizes auditing compliance-rule changes and including Workspace logs in SIEM pipelines.
- Policymakers and regulators: The actor’s collection priorities and the use of enterprise compliance features for exfiltration point to a need for clearer operational guidance around administrative privileges, enterprise IdP configurations, and mandatory security controls for research-sensitive cloud tenants.
- Medical research institutions and administrators: Organizations relying on REDCap and similar platforms should urgently patch or remove legacy versions, scan for the INFINITERED indicators (including the session prefix "xc32038474a" and the version GUID marker), and assume that reused or overlapping credentials can lead to high-impact administrator compromise.
Detection, mitigation and the steps GTIG recommends
GTIG says it disrupted the malicious infrastructure, notified affected organizations in cooperation with Mandiant Consulting, and updated Google Security Operations with intelligence for defenders. Its concrete recommendations include enforcing phishing-resistant 2-Step Verification for enterprise administrator accounts (including third-party IdPs), considering enrollment in Google's Advanced Protection Program for highly sensitive accounts, enforcing Device Bound Session Credentials with CAA on Windows devices, enabling audit logs, defining DLP rules to control external sharing, auditing content compliance rules, ensuring Workspace logs feed into SIEM, using Chrome Enterprise Password Leak Detection, updating or removing legacy REDCap installations, and scanning REDCap servers with the provided YARA rule and IOCs.
GTIG attributes the campaign to UNC6508 with high confidence, citing infrastructure overlaps, repeated use of INFINITERED, and a consistent target set spanning medical research and defense-related topics. The assessment in the advisory states UNC6508 is "an espionage motivated threat cluster, with priorities that align with historic PRC state-sponsored espionage trends and intelligence collection requirements."
The record in GTIG’s advisory is a granular demonstration of how a research-facing application can be converted into a persistent espionage platform: from a web-shell foothold to a stealthy credential harvester, to a backdoor that answers to a crafted cookie, and finally to an administrator-controlled compliance rule that quietly streams sensitive emails to an external inbox. For organizations that host regulated research at scale, that chain is a blueprint for urgent action.
