Attack Overview
A China-linked espionage group tracked as UNC6508 spent over a year inside North American medical, academic, and military research networks, stealing sensitive data and defense email. The attackers compromised REDCap (Research Electronic Data Capture) servers and then abused a built-in Google Workspace feature to exfiltrate emails.
Google's Threat Intelligence Group (GTIG) published a report this week detailing the campaign, which ran from September 2023 to November 2025. Victims include clinical providers, academic centers, military health institutions, advocacy groups, and health regulators across the US and Canada.
Initial Access: REDCap Backdoor
The entry point was REDCap, a web platform used by hospitals and universities to manage clinical study databases. UNC6508 compromised externally facing REDCap servers. Google has not identified the initial access vector or a specific CVE, but observed the group probing older, vulnerable installations.
About three months after initial compromise, the group deployed custom malware called INFINITERED. This malware trojanizes REDCap's system files and performs three actions:
- Hijacks the upgrade process so every new REDCap version reinjects the malware
- Harvests usernames and passwords from the login page, storing them encrypted in local database tables
- Acts as a backdoor receiving commands via HTTP cookies on every page load
Lateral Movement and Privilege Escalation
Once on the server, UNC6508 conducted internal reconnaissance and credential discovery, pulling database and service account credentials. These logins enabled lateral movement to a domain administrator account. Google does not describe the exact path to admin access.
Exfiltration: Google Workspace Content Compliance Rules
With admin rights, the group set up an exfiltration method requiring no additional malware. They abused content compliance rules, a legitimate Google Workspace feature that scans email for keywords and can copy or forward matching messages. The group created a rule (misspelled "Patroit") that watched for nearly 150 keywords, search terms, and email addresses. When a message matched, Workspace silently BCC'd it to an attacker-controlled Gmail address.
This technique is particularly insidious because it leaves almost no forensic trace on the mail system. No malware on the mail server, no separate exfiltration tool, no unusual network traffic—just a built-in administrative feature turned against the organization.
MITRE already catalogs email forwarding rule abuse under T1114.003, but Google flags the use of domain-level content compliance rules as novel for a China-linked actor.
Targeted Keywords
The rule's keyword list mapped to UNC6508's collection priorities:
- Geo-strategic policy
- Military strategy and equipment
- Advanced technology including AI and uncrewed vehicles
- Offensive cyber programs
- Medical research
One standout term: "chikungunya," the mosquito-borne virus behind a major 2025 outbreak in China's Guangdong province that infected over 16,000 people.
Broader Context
This campaign follows a pattern seen with ShinyHunters exploiting an unpatched Oracle PeopleSoft zero-day to breach over 100 organizations, two-thirds universities. In both cases, attackers targeted enterprise software that research institutions depend on, and victims had limited visibility until an external party disclosed it.
Defensive Recommendations
Google recommends the following actions:
- Patch externally facing REDCap servers and remove old versions entirely. REDCap allows legacy installations to run alongside current ones, enabling downgrade attacks.
- Review Google Workspace content compliance and mail forwarding rules for anything that BCCs or reroutes email to external addresses.
- Check admin audit logs for when rules changed, not just what they currently say.
- Hunt for INFINITERED using GTIG's published indicators of compromise.
- Deploy phishing-resistant MFA on administrator accounts, since the entire email theft step depended on admin access.
Technical Details for Developers
INFINITERED detection: The malware modifies REDCap system files. Look for unexpected modifications in the REDCap installation directory, especially files related to the upgrade process. Check for HTTP cookie-based command channels.
Auditing Google Workspace rules: Use the Admin SDK Reports API to query for changes to compliance rules. Example command to list recent rule modifications:
gam print domain-message-compliance > compliance_rules.csv
Then check for rules with bcc action to external addresses.
REDCap hardening: Remove unused REDCap versions from the server. The default installation may leave older versions accessible. Use find /var/www/redcap -type d -name 'redcap_v*' to list versions and remove those not in use.
Conclusion
The REDCap backdoor got them in. The Google Workspace rule got the data out. Defenders need to audit both. Start by reviewing your Google Workspace content compliance rules for any BCC to external addresses, and patch your REDCap servers immediately.
