Google Threat Intelligence Group (GTIG) identified a campaign conducted by UNC6508, a threat actor linked to the People’s Republic of China (PRC). The campaign was undetected for more than one year. It compromised external facing web applications, utilized bespoke malware, shifted to internal systems, and exploited administrative tools for exfiltration. 

The threat actor typically targets REDCap servers. REDCap, a software platform for creating and managing online databases/surveys, is commonly used by the North American medical research community. Three months after the compromise, the threat actor released a custom malware payload GTIG calls INFINITERED. 

Denis Calderone, CTO at Suzu Labs, comments, “The most concerning part of the UNC6508 campaign is that patching would have preserved the compromise. INFINITERED embeds itself into REDCap’s upgrade workflow, so when an institution upgrades to fix vulnerabilities, the malware survives and re-infects the new version. Once the malware owns the upgrade workflow, the server can't tell you it’s clean. You need external validation to catch it.

“UNC6508 was inside one medical research institution from September 2023 through November 2025, over two years before Google discovered them. REDCap by design allows administrators to keep legacy versions running alongside current ones because active clinical studies depend on specific versions and can’t be disrupted mid-trial. The problem is those older versions still had known remote code execution vulnerabilities, and they’re sitting on the same server, still internet-facing. UNC6508 probed for those legacy versions specifically. The institution may have upgraded to the latest REDCap, but the old vulnerable version was still right there.”

 The threat actor’s targets include: 

• Sensitive defense intelligence (a matter of national security)
• Artificial intelligence 
• Medical research 
• Indo-Pacific command operations
  
• Cyber offensive programs
• Uncrewed vehicle systems

“The collection targets read like a national security wish list: clinical trial data, drug discovery research, AI, drone technology, cyber offensive programs, Indo-Pacific command operations, and viral disease research,” says Calderone. “The exfiltration technique is what really caught our attention though. We’ve been advising clients on the O365 mailbox rules persistence problem, where attackers create hidden forwarding rules that survive password resets. UNC6508 took the same concept to an enterprise admin level. They created domain content compliance rules with keyword filters for those exact topics, then silently BCC’d every matching email to an attacker-controlled Gmail address. That’s not a user-level mailbox rule that your SOC is likely to catch. 

“If you’re running REDCap, inspect your upgrade files for unauthorized modifications using the YARA rules Google published and remove any legacy versions immediately. The data collection endpoints may need external access for multi-site trials, but the admin interface does not. Get it off the internet. Put it behind your VPN or restrict it to institutional IP ranges. Beyond REDCap, audit your email infrastructure beyond user-level rules. Check admin-level content compliance policies, transport rules, and journal rules for forwarding to external addresses. If you checked your mailbox rules after the O365 issue but didn’t look at admin-level policies, go do that now.”