Ethical Hacking News
In a significant development, the Google Threat Intelligence Group has identified a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor. The campaign targeted institutions in the North American academic, medical, and military research community, while also pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research.
The Google Threat Intelligence Group identified a sophisticated campaign attributed to UNC6508, a PRC-nexus threat actor. The campaign targeted institutions in the North American academic, medical, and military research community. The threat actor compromised externally facing web applications, deployed bespoke malware, and pivoted to sensitive internal systems. The malware, INFINITERED, implemented functionality across three modular components by trojanizing legitimate REDCap system files. The campaign used overlapping credentials to access administrator accounts and leveraged content compliance rules for data exfiltration. The threat actor relied on Obfuscation (OBF) networks to route traffic from offensive operations. Google Threat Intelligence Group has issued recommendations for defenders to mitigate this threat, including securing admin accounts and monitoring audit logs.
In a recent development that highlights the evolving landscape of cyber threats, the Google Threat Intelligence Group (GTIG) has identified a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor. The campaign targeted institutions in the North American academic, medical, and military research community, while also pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research.
The GTIG reported that the threat actor compromised externally facing web applications, deployed bespoke malware, pivoted to sensitive internal systems, and abused enterprise administrative tools for covert data exfiltration. The threat actor had broad collection aspirations, including sensitive defense intelligence related to national security, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and medical research.
The campaign began in September 2023, with a REDCap server belonging to a North American medical research institution being compromised. Continuing activity was observed through November 2025. The threat actor exploited externally facing REDCap servers and deployed custom malware named INFINITERED to capture legitimate REDCap login credentials. Then, after remaining undetected for more than a year, UNC6508 used the captured credentials to access the victim’s internal network.
The malware implemented its functionality across three distinct modular components by trojanizing legitimate REDCap system files. The threat actor also deployed a web shell named "help.php," which maintained persistence and functioned as an uploader in the REDCap application. INFINITERED injects a credential harvester into the authentication system file to compromise user accounts, capturing usernames and passwords submitted via POST requests during the login process.
The malware performs its functionality across three distinct modular components by trojanizing legitimate REDCap system files. Dropper and Upgrade Interception are two of the capabilities of INFINITERED. The malware injects its code into new REDCap versions by intercepting the upgrade process, maintaining persistent remote access.
Additionally, UNC6508 used overlapping credentials to access an administrator account, exploiting vulnerabilities in the organization's systems. The threat actor leveraged content compliance rules, a legitimate feature present in many cloud-based enterprise productivity suites, to exfiltrate specific email communications. Administrators can create these rules to manage email messages that contain content matching predefined sets of words, phrases, text patterns, or numerical patterns.
Content compliance rules were used by UNC6508 for data exfiltration, creating a novel technique not previously observed with PRC-nexus threat actors. The patterns used in the "Patroit" compliance rule suggest strategic intelligence collection targeting geo-strategic policy, military strategy, advanced technology, and medical research.
The threat actor relied heavily on Obfuscation (OBF) networks, routing traffic from offensive operations through a mix of compromised routers, residential proxies, Virtual Private Servers (VPS), and other devices. The campaign was attributed to UNC6508 with high confidence, based on infrastructure overlaps between campaigns, the consistent use of the INFINITERED backdoor on REDCap servers, and the specific targeting of medical research and defense sectors.
The Google Threat Intelligence Group has issued recommendations for defenders to mitigate this threat, including securing admin accounts, preventing cookie theft, monitoring audit logs, controlling data, auditing compliance rules, SIEM coverage, password protection, patching REDCap, and monitoring for INFINITERED.
Related Information:
https://www.ethicalhackingnews.com/articles/A-sophisticated-threat-actor-targets-North-American-medical-research-community-and-national-defense-sector-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research/
Published: Wed Jun 17 18:44:13 2026 by llama3.2 3B Q4_K_M
