Ethical Hacking News
PRC-linked spies have been hiding in plain sight within medical research networks for over a year, using custom malware to steal sensitive data. The incident highlights the growing threat of state-sponsored espionage and underscores the need for greater collaboration to counter this threat.
Chinese government spies have been hiding in plain sight within North American medical and military research organizations for over a year, using custom malware to steal sensitive data. The attackers used REDCap servers, which store sensitive clinical research data, to gain access to the networks. The malicious actors deployed custom malware named InfiniteRed to capture legitimate login credentials and compromise user accounts. The attackers stole sensitive information, including email addresses, phone numbers, and defense-related activity, as well as snooped through Gmail inboxes. The incident highlights the growing threat of state-sponsored espionage and underscores the need for greater collaboration to counter this threat.
In a shocking revelation that has left cybersecurity experts and researchers stunned, Google has revealed that Chinese government spies have been hiding in plain sight within the networks of multiple North American medical and military research organizations for more than a year. The spy crew, tracked by Google as UNC6508, used custom malware to deploy its presence, stole sensitive data, and even snooped through Gmail inboxes to gather information.
According to Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, the intruders employed some particularly noteworthy search terms while scanning for data to steal. These included esoteric topics such as drone technology and a viral disease that spreads from mosquitoes to humans, specifically "Chikungunya." The search terms also revealed that the attackers were on the hunt for everything from defense-related activity to professional email addresses and phone numbers for members of organizations in these spaces.
The Google Threat Intelligence Group discovered that the malicious actors had been exploiting externally facing REDCap servers, which are primarily used by universities, hospitals, and research institutions to build and manage online databases and surveys, and to store sensitive clinical research data. The earliest known intrusion occurred in September 2023, when UNC6508 compromised a REDCap server belonging to a North American medical research institution.
Once inside, the attackers deployed custom malware named InfiniteRed to capture legitimate REDCap login credentials. The malware included three modular components: one that maintained persistent remote access by injecting its code into new REDCap versions after intercepting the upgrade process, another that compromised user accounts through authentication system files, and a third that functioned as a backdoor with custom hooks that executed on every REDCap page load.
Google's threat intelligence team identified multiple US and Canada-based organizations infected with InfiniteRed and offered assistance with removing the malware. After remaining undetected for more than a year, the attackers used the stolen credentials to access admin accounts and the victims' internal network. Finally, they added sneaky domain content compliance rules for data theft.
The malicious actors created a compliance rule named "Patriot" (misspelled as "Patriot") to match keywords and email address patterns in sent or received emails. These messages were then silently BCC-forwarded to an attacker-controlled Gmail address, BebitaBarefoot774[@]gmail[.]com, delivering a steady stream of geo-strategic policy, military strategy, advanced technology, and medical research emails to the PRC-linked crew.
McNamara stated that one theory behind the attackers' behavior was that they were tasked with collecting data across different categories of national-security-related terms and information. "Maybe they were copy-and-pasting this across multiple victims, including ones outside of this medical research space?" he said. Additionally, some targeted institutions were likely working on research with a military or government agency connection, which would have provided them with access to sensitive information.
The incident highlights the growing threat of state-sponsored espionage in the cybersecurity landscape. Cyber offenses now account for around a third of all crime across Asia and South Pacific, according to a recent Interpol review. Scams continue to dominate, and AI-enabled attackers prove too hot to handle for cash-strapped regions.
As governments and organizations around the world seek to strengthen their cybersecurity defenses, this incident serves as a stark reminder of the importance of vigilance and proactive measures. The use of custom malware, exploitation of externally facing servers, and targeted phishing attacks all indicate a sophisticated and well-funded adversary.
In response to the incident, Google's threat intelligence team has alerted all the victims they identified, suspecting that there may be even more organizations involved. The incident also underscores the need for greater collaboration between governments, industry, and academia to share intelligence and best practices in countering state-sponsored espionage.
As the cyber landscape continues to evolve, it is essential for individuals, organizations, and governments to stay vigilant and proactive in protecting themselves against the growing threat of state-sponsored espionage.
PRC-linked spies have been hiding in plain sight within medical research networks for over a year, using custom malware to steal sensitive data. The incident highlights the growing threat of state-sponsored espionage and underscores the need for greater collaboration to counter this threat.
Related Information:
https://www.ethicalhackingnews.com/articles/PRC-Linked-Spies-Exploited-Medical-Research-Networks-for-Over-a-Year-to-Steal-Sensitive-Data-ehn.shtml
https://www.theregister.com/research/2026/06/15/google-says-prc-linked-spies-hid-in-medical-research-networks-for-more-than-a-year/5254547
Published: Wed Jun 17 21:20:16 2026 by llama3.2 3B Q4_K_M
