China-Linked Hackers Spent Over a Year Inside US Medical Research Networks

Google Threat Intelligence Group (GTIG) and Mandiant Consulting have jointly disrupted an espionage operation tied to UNC6508, a threat cluster assessed with high confidence to be aligned with People's Republic of China intelligence priorities. The campaign ran from at least September 2023 through November 2025, targeting organizations across the US and Canada whose combined research budgets run into the billions of dollars.

What happened

Attackers initially gained access by exploiting externally accessible REDCap servers — a web-based platform widely used in academic and clinical research for managing surveys and databases. GTIG was unable to confirm the precise exploitation method, but observed the group probing for legacy software versions left running alongside current installations, a permitted REDCap configuration that creates a downgrade-attack surface.

Three months after establishing a foothold, UNC6508 deployed a custom malware family called INFINITERED by trojanizing legitimate REDCap system files. The malware operates across three components: a dropper that intercepts REDCap's own upgrade process to reinject malicious code into each new version, a credential harvester that captures POST-submitted login data and stores it encrypted inside a legitimate database table, and a backdoor that activates via a specially crafted HTTP cookie named REDCAP-TOKEN. INFINITERED can execute shell commands, run arbitrary SQL queries, transfer files, and beacon system details including database credentials back to the operator.

More than a year after the initial breach, the group replayed harvested credentials to access a domain administrator account, then created a content compliance rule — a standard feature in cloud productivity suites — named "Patroit" (the misspelling appears in the original rule). The rule used regular expressions to match emails containing keywords tied to geopolitical, military, medical, and technology topics, silently BCC-forwarding matches to a threat-actor-controlled Gmail address. GTIG subsequently disabled that account.

Why it matters

The use of email compliance rules for covert data exfiltration marks a tactic not previously documented among PRC-linked actors, according to GTIG. By abusing a legitimate administrative feature rather than deploying additional tooling, UNC6508 avoided triggering security controls that focus on anomalous software behavior. The group also maintained operational security by routing all activity through US-hosted infrastructure — compromised consumer routers, residential proxies, and VPS nodes — making geographic attribution harder for defenders relying on IP geolocation.

The breadth of collection interests documented in the "Patroit" rule suggests UNC6508's actual target list may extend well beyond the institutions GTIG was able to identify. Intelligence priorities reflected in the keyword patterns include Indo-Pacific military posture, uncrewed vehicle programs, offensive cyber capabilities, and medical research — areas consistent with documented PRC state-sponsored collection requirements.

What to watch

GTIG has pushed indicators of compromise and detections into Google Security Operations and published YARA rules for identifying INFINITERED on REDCap servers. Organizations running REDCap should treat any legacy software version left in place as an active risk surface and prioritize removal alongside patching. The group recommends phishing-resistant two-step verification on all administrator accounts, enforcement of Device Bound Session Credentials on sensitive Windows endpoints, and a manual audit of existing email compliance rules for unauthorized modifications.

The specific inclusion of Chikungunya-related terms in the exfiltration keyword list, timed against a real outbreak in China, points to an actor with current operational tasking rather than one operating from a static collection template — a detail defenders tracking PRC health-related espionage should factor into threat modeling.