The earliest known compromise dates to September 2023, and activity attributed to the same cluster continued through November 2025, according to Google’s Threat Intelligence Group (GTIG).
UNC6508 and INFINITERED
Google’s Threat Intelligence Group attributes the campaign with high confidence to a China-linked cluster it tracks as UNC6508. The group deployed custom malware GTIG calls INFINITERED after compromising externally facing REDCap servers. GTIG first surfaced UNC6508 and the REDCap backdoor in February in a broader look at state-backed activity against the defense sector; the new report provides operational detail on a sustained campaign that spanned clinical, academic, and military research networks in the United States and Canada.
REDCap backdoor and persistence
The entry point was REDCap — Research Electronic Data Capture — a web platform hospitals and universities use to build and manage study databases. GTIG says UNC6508 compromised externally facing REDCap servers and deployed INFINITERED roughly three months after initial access. INFINITERED trojanizes REDCap’s system files and, per GTIG, performs three functions: it hijacks the upgrade process so each new REDCap version reinjects the malicious code; it harvests usernames and passwords from the login page and stores them, encrypted, in local database tables; and it acts as a backdoor, accepting commands via HTTP cookies and running on every page load.
From those servers, the actor ran internal reconnaissance and credential discovery, pulling database and service account credentials and then using those logins to move into the internal network and onward to a domain administrator account. Google does not spell out the exact path to that administrator account, nor has it identified a specific CVE or affected REDCap version; it did, however, observe the group probing older, vulnerable releases. Google says it notified affected organizations and disrupted the group’s infrastructure.
Google Workspace content compliance rules abused to steal email
With administrative rights in place, UNC6508 set up a novel exfiltration method: abusing Google Workspace domain content compliance rules. Those legitimate admin features scan mail for keywords and can copy or forward matching messages. The group created a domain rule — notably misspelling one monitored term as “Patroit” — that watched for nearly 150 keywords, search terms, and email addresses. When a message matched, Workspace silently BCC’d it to an attacker-controlled Gmail address; Google has since disabled that address.
GTIG emphasizes there was no malware on the mail server, no separate exfiltration tool, and no unusual network traffic associated with the theft. The attackers simply leveraged an existing cloud-mail feature to harvest messages. MITRE catalogs email-forwarding-rule abuse as a known technique; what GTIG flags as new in this campaign is the use of domain content compliance rules for large-scale, stealthy interception — a method GTIG had not seen from a China-linked actor before.
Collection priorities exposed in the rule set
The rule’s keyword set mapped to UNC6508’s collection priorities as observed by GTIG: geo-strategic policy; military strategy and equipment; advanced technology including artificial intelligence and uncrewed vehicles; offensive cyber programs; and medical research. One particularly specific term in the list was chikungunya, the mosquito-borne virus behind a 2025 outbreak in China’s Guangdong province — an indicator of the breadth of targets the group pursued across both defense and biomedical domains.
What this means for clinical providers, academic centers, and military health institutions
- Clinical providers: REDCap instances that are externally accessible are a direct risk; GTIG’s findings link compromised REDCap servers to credential harvesting and lateral movement into internal networks.
- Academic centers: Research databases and legacy REDCap instances running side-by-side create downgrade-attack opportunities; GTIG warns against leaving older versions in place alongside current builds.
- Military health institutions: Administrative access in a single cloud domain can be turned into an ongoing, low-noise exfiltration channel by altering content compliance rules, underscoring that mail-system audits must include rule changes and external BCC targets.
Practical remediation steps GTIG recommends
- Patch or remove externally facing REDCap servers; do not rely on running legacy versions side-by-side, because that enables downgrade attacks.
- Review Google Workspace (or equivalent) domain content compliance and mail-forwarding rules for entries that BCC or reroute mail to outside addresses, and inspect admin audit logs for rule-change events rather than only current rule content.
- Hunt for INFINITERED using GTIG’s published indicators, and recover or rotate any credentials that may have been harvested from REDCap login pages or local databases.
- Require phishing-resistant multifactor authentication for administrator accounts, since the mail-theft phase in this campaign hinged on administrative access to Workspace rules.
GTIG’s report ties a year-and-a-half-long intrusion chain — REDCap compromise, credential harvesting, lateral movement to admin rights, and the quiet repurposing of a built-in cloud feature — into a single operational picture. The record here is specific: commodity research software was weaponized to collect credentials, and an ordinary admin control was repurposed to siphon sensitive mail without generating obvious alerts. Defenders will need to treat built-in cloud features as potential exfiltration paths as closely as they treat custom malware.
