Emerging ThreatsMalware & Ransomware

Chinese Hackers Infiltrate Defense Research with Custom Malware

Analyst 207||Source: SecurityMag
Dimly lit hallway with doors ajar, computer screen in foreground showing subtle code hints.

"The most concerning part of the UNC6508 campaign is that patching would have preserved the compromise. INFINITERED embeds itself into REDCap’s upgrade workflow, so when an institution upgrades to fix vulnerabilities, the malware survives and re-infects the new version." — Denis Calderone, CTO at Suzu Labs

Google Threat Intelligence Group (GTIG) has identified a long-running intrusion by UNC6508, a threat actor linked to the People’s Republic of China (PRC). The campaign, which went undetected for more than a year, targeted externally facing web applications, deployed bespoke malware, shifted into internal systems, and used administrative tools to siphon sensitive material.

UNC6508 and INFINITERED: stealth and persistence

GTIG’s analysis ties the actor UNC6508 to a custom payload GTIG calls INFINITERED. According to the reporting, INFINITERED appeared three months after an initial compromise and was designed to persist through routine maintenance. Denis Calderone of Suzu Labs emphasized how the malware subverts patching: because it embeds into the REDCap upgrade workflow, it can survive upgrades intended to fix vulnerabilities.

Calderone further noted a specific instance of prolonged access: "UNC6508 was inside one medical research institution from September 2023 through November 2025, over two years before Google discovered them." That multi-year presence illustrates the campaign’s stealth and the difficulty of detecting supply-chain–style persistence when malware controls the upgrade process itself.

REDCap upgrade workflow as a vector for persistence

REDCap is a platform widely used to build and manage online research databases and surveys. The platform’s design often allows administrators to keep legacy versions running side-by-side with current versions to avoid disrupting active clinical studies. UNC6508 probed specifically for those legacy deployments, which in some cases retained known remote code execution vulnerabilities.

Calderone’s technical guidance is specific: operators running REDCap should inspect upgrade files for unauthorized modifications using the YARA rules that Google published, and remove legacy versions immediately. He also recommends moving administrative interfaces off the internet — “The data collection endpoints may need external access for multi-site trials, but the admin interface does not. Get it off the internet. Put it behind your VPN or restrict it to institutional IP ranges.”

Exfiltration using enterprise email policies, not mailbox rules

Perhaps the campaign’s most notable operational nuance is how exfiltration was achieved at an enterprise level. Rather than relying solely on user-level forwarding rules, UNC6508 reportedly created domain content compliance rules with keyword filters matching topics such as clinical trial data and AI research. Those rules silently BCC’d every matching email to an attacker-controlled Gmail address.

Calderone compared the technique to a previously noted Office 365 mailbox-rule persistence problem, but elevated: “That’s not a user-level mailbox rule that your SOC is likely to catch.” His advice is explicit — audit email infrastructure beyond user mailbox rules: examine admin-level content compliance policies, transport rules, and journal rules for forwarding to external addresses.

The collection targets: clinical trials, AI, defense and more

  • Sensitive defense intelligence (a matter of national security)
  • Artificial intelligence
  • Medical research, including clinical trial data and drug discovery
  • Indo-Pacific command operations
  • Cyber offensive programs
  • Uncrewed vehicle systems (drone technology)
  • Viral disease research

Calderone summarized the targeting bluntly: “The collection targets read like a national security wish list.” The range of topics named in GTIG’s findings spans both biomedical research and defense-related programs.

What this means for technologists, medical researchers, and policymakers

  • Technologists and security teams: Immediately inspect REDCap upgrade files using the YARA rules Google published, remove legacy REDCap versions, and audit admin-level email policies (content compliance, transport, journal rules) for covert forwarding to external addresses.
  • Medical research institutions: Move REDCap administrative interfaces off the public internet — behind VPNs or restricted to institutional IP ranges — and validate servers with external tools because patching alone will not remove malware that controls the upgrade workflow.
  • Policymakers and regulators: The campaign’s explicit targeting of defense and AI-related programs, alongside clinical and viral disease research, highlights cross-cutting national-security and public-health implications that merit coordinated attention to enterprise email controls and long-running software persistence.

The lesson from GTIG and Suzu Labs is unmistakable: when an attacker controls the upgrade mechanism, conventional patching can become a false assurance. As Calderone put it, "Once the malware owns the upgrade workflow, the server can't tell you it’s clean. You need external validation to catch it." Organizations running REDCap or similar research platforms — and the teams that oversee enterprise email policies — are therefore left with two immediate tasks: verify that upgrade artifacts are pristine, and assume that perimeter fixes alone may not eject a determined intruder.

Original reporting: SecurityMagazine — Chinese Hackers Targeting AI, Cyber and National Defense Research

ChinaEmerging ThreatsNation-StateGoogle Threat Intelligence GroupMalware OperationsCustom MalwareUNC6508InfiniteredRedcapDefense Research
Related Intelligence

Continue Reading

Person sits at laptop in coffee shop with blurred cityscape behind, face neutral and unfocused.

Cyber Trust Erodes as AI, Tools Enable New Attacks

Trust is crumbling in the digital world as hackers exploit AI and tools to launch devastating attacks, turning trusted platforms into malware delivery mechanisms. The latest threat: hijacked Google Ads and AI developer tools used to funnel over 2,000 victims to malicious download pages.

Analyst 207
A cluttered home office workspace with a USB drive on the desk and a laptop in the background.

Malware Spreads via USB, Targets Crypto Wallets with Clipboard Theft

Beware of a sneaky malware that's spreading through USB drives and targeting crypto wallets by stealing sensitive info from your clipboard every half a second. This cunning threat replaces wallet addresses, harvests seed phrases and private keys, and even takes rapid screenshots to get its hands on your digital assets.

Analyst 207
Healthcare worker standing near medical equipment with blurred records in foreground.

UK Watchdog Cautions Healthcare Worker Over Royal's Medical Records Breach

When trust in healthcare settings is broken and personal info is mishandled, swift action is taken - as seen in the ICO's recent decision to issue a formal caution to a former healthcare professional for misusing sensitive patient data. The watchdog is clear: people's personal info must be safe from exploitation.

Analyst 207
Hospital corridor with blurred patient room doors and a lone computer workstation.

INC Ransomware Targets 830+ Victims, Expands as Major RaaS Threat

The INC ransomware group has rapidly grown into a major threat, claiming over 830 victims since August 2023, with US organizations making up more than 65% of those affected. Sectors such as legal services, manufacturing, and healthcare are among the most targeted, as INC expands its reach as a prominent Ransomware as a Service (RaaS) operation.

Analyst 207