"Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness," Google Threat Intelligence Group warned.
UNC6508’s presence: September 2023 through November 2025
Google Threat Intelligence Group (GTIG) says a China-linked espionage campaign — attributed to a threat actor tracked as UNC6508 — compromised a North American medical research institution in September 2023 and remained inside the victim environment for more than a year, with malicious activity continuing through November 2025. GTIG researchers say UNC6508 remained undetected for that entire period before discovery.
The 'Infinitered' malware: three modules, broad capabilities
Three months after the initial compromise, GTIG observed the deployment of a custom malware family the report names 'Infinitered.' According to the findings, Infinitered is trojanized into REDCap servers' system files and consists of three components: a persistence/update module, a credential harvester, and a backdoor. The credential harvester captures usernames and passwords submitted through REDCap login pages, encrypts them, and stores them in local REDCap database tables for later retrieval.
The backdoor receives commands via HTTP cookies and gives the actor the ability to execute shell commands; upload and download files; run arbitrary SQL queries; retrieve and delete stolen credentials; and return system and database information.
REDCap servers, credential theft, and the 'Patroit' email rule
GTIG emphasizes that REDCap — a platform widely used in medical and scientific research to build and manage databases and surveys that comply with regulations for medical and scientific research — was the specific target. While researchers could not determine the precise initial compromise vector, they observed UNC6508 probing older, vulnerable versions of REDCap prior to the intrusion.
After gaining administrator access, the attackers abused a legitimate cloud feature: the 'content compliance rules' function in enterprise productivity suites. UNC6508 created a rule named "Patroit" that scanned for specific keywords, content patterns, email addresses, and phone numbers. Any matches were automatically sent as a blind carbon copy (BCC) to 'BebitaBarefoot774@gmail.com' — an address Google has since disabled. The keywords targeted data tied to medical research, advanced technology, military topics, and geo-strategic policy.
Operational security: proxies, compromised routers, credential replay, and dedicated exfiltration
GTIG recorded a high level of operational security across the campaign. The actor made use of US-based residential proxy infrastructure, compromised routers, virtual private servers (VPS), credential replay, and dedicated infrastructure for data exfiltration. That layered approach helped the actor evade detection while moving stolen data out of the environment.
What this means for medical research organizations, cloud providers, and security teams
- Medical research organizations: those running REDCap instances must assume that legacy or exposed deployments are attractive intelligence targets; GTIG's characterization of the victim's work — ranging from molecular discovery and clinical drug trials to public health policy and military readiness — underscores the diversity of data at risk.
- Cloud providers and enterprise platform teams: a feature intended for compliance — content compliance rules that can forward matches by email — was repurposed for covert exfiltration, demonstrating how built-in administrative features can be abused after an account takeover.
- Security teams and incident responders: the campaign shows how credential harvesting embedded in application workflows and cookie-based backdoor controls can persist for long periods; defenders will need to scan application databases, monitor for unusual rule creation (for example, a "Patroit" compliance rule), and trace where automated rule outputs are being routed.
GTIG's defensive advice, artifacts, and notifications
GTIG says it notified multiple organizations in the U.S. and Canada that were compromised with Infinitered/InfiniteRed. The report includes YARA rules and indicators of compromise (IoCs) to help defenders scan environments for infections. GTIG recommends that REDCap administrators upgrade their instances to the latest available versions and remove legacy deployments. Google also advises enabling MFA/2SV on high-privilege accounts and using Device Bound Session Credentials (DBSC) to prevent session hijacking.
For organizations running REDCap and for the teams that support them, the immediate, concrete steps GTIG provides — patching, removing legacy interfaces, enforcing stronger session protections, and hunting for the specific artifacts and the disabled exfiltration address — are the same steps GTIG used to identify and notify victims. The report makes clear that the attack blended a bespoke malware implant with procedural rigor: reconnaissance of older REDCap builds, a tailored credential harvester, and the creative misuse of cloud compliance rules.
The facts GTIG has published leave a clear operational task: scan for the Infinitered components and the 'Patroit' rule, apply the platform updates, and treat exposed REDCap instances as potential entry points. GTIG's notification to affected organizations and published IoCs provide immediate hunt material; whether other installations remain quietly exposed is now the urgent question for REDCap operators and their security teams.
