"It's one of the most interesting grocery shopping lists of things to collect that I’ve seen from a state-sponsored actor," Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, told The Register.
UNC6508: a sustained, cross-domain espionage campaign
Google tracks the intrusion crew as UNC6508. According to a Monday report and interviews with Google analysts, the group operated in North America for more than a year inside the networks of multiple medical and military research organizations. Google will not disclose the full count of victims, but said the operation targeted "several national, state, and private medical entities." The report adds that the victims include "world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies," with research spanning "molecular discovery and clinical drug trials to state-level public health policy and military readiness."
REDCap servers were the initial foothold; the timeline begins in September 2023
All of the attacks began with exploitation of externally facing REDCap (Research Electronic Data Capture) servers — the platforms universities, hospitals, and research institutions use to manage online databases, surveys, and clinical research data. Google’s incident responders first detected the campaign in early 2025, but traced activity back to at least September 2023, when UNC6508 compromised a REDCap server belonging to a North American medical research institution. Google told victims it identified and offered assistance, and McNamara said the company "suspect[s] there's probably even more" infections beyond those it notified.
InfiniteRed: a three-module custom malware suite
Three months after gaining access to REDCap instances, the intruders deployed custom malware Google named InfiniteRed. The malware includes three modular components: first, a persistence mechanism that maintains remote access by intercepting the REDCap upgrade process and injecting code into new versions; second, a credential harvester that is injected into the authentication system file to capture legitimate login data; and third, a backdoor with custom hooks that executes on every REDCap page load. Google identified "multiple" US- and Canada-based organizations infected with InfiniteRed and assisted with remediation.
"Patroit" compliance rule and a steady stream of stolen emails
After harvesting credentials, UNC6508 elevated access to admin accounts and moved deeper into victims' internal networks. The attackers then created content compliance rules — a legitimate cloud productivity feature used to manage messages — to exfiltrate targeted emails. The malicious rule was named "Patroit" (a misspelling of "Patriot") and matched keywords and email-address patterns in sent or received messages; matched messages were silently BCC-forwarded to an attacker-controlled Gmail account, BebitaBarefoot774[@]gmail[.]com. Google Threat Intelligence Group disabled that Gmail account to stop further exfiltration.
The search terms used by the intruders mixed defense-related keywords and niche medical topics. McNamara said the list contained "defense-related activity" and included searches for emails that used "@ and then a big defense name," as well as "specific email addresses of individuals at more niche defense companies." The threat actors also searched for some medical research facilities and the pathogen "Chikungunya" — a mosquito-borne viral disease responsible for an outbreak in China's Guangdong province in July 2025 — alongside terms such as unmanned drones and unmanned vehicles. McNamara floated one theory: the group may have been tasked with collecting across a wide set of national-security-related terms and might have copy‑and‑pasted the same list across multiple victims, including institutions outside the typical defense space.
How technologists, medical institutions, and policymakers are positioned by the campaign
- Technologists and security teams: defenders will be focused on externally facing REDCap instances, the integrity of upgrade processes, and the presence of unexpected content-compliance rules. Google reported it disabled the attacker-controlled Gmail account and offered cleanup help to victims.
- Medical and military health institutions: organizations named in the report span clinical providers, academic centers, and military health institutions; these groups must account for the possibility that administrative accounts and internal correspondence were accessed, and audit email compliance rules and account privileges accordingly.
- Policymakers and regulators: the campaign’s mix of defense-related and medical research targets — including searches for Chikungunya and unmanned systems within medical networks — highlights cross-domain collection that may implicate public-health research and defense-related exchanges between institutions.
UNC6508’s operation combines a clear technical playbook — REDCap exploitation, InfiniteRed modules, credential theft, and email exfiltration via compliance rules — with a curious collection list that spans drones, defense emails, and a mosquito-borne pathogen. Google has notified and assisted identified victims and disabled the attacker-controlled inbox, but the company also acknowledged it suspects additional, undisclosed victims. A pressing, specific question remains: how many more externally facing REDCap servers were compromised between the earliest known intrusion in September 2023 and the campaign’s detection in early 2025?
