PRC-Nexus UNC6508 Hackers Backdoored REDCap Servers to Spy on Medical and Defense Research

Google’s Threat Intelligence Group has linked a long-running cyber-espionage campaign to UNC6508, a People’s Republic of China-nexus threat actor that targeted North American medical, academic, and military research institutions.

The campaign focused on externally facing REDCap servers, a platform widely used by hospitals, universities, and research teams to manage study data. Google said the attackers stayed undetected for more than a year while collecting credentials, moving through internal systems, and abusing enterprise email rules to steal sensitive messages, according to the Google Threat Intelligence Group report.

The activity began as early as September 2023 and continued through November 2025. Reuters reported that the targets included US and Canadian research organizations working on drug discovery, clinical trials, public health policy, military readiness, artificial intelligence, uncrewed systems, and cyber programs.

What UNC6508 Targeted

UNC6508 targeted organizations with valuable research and national security information. Google said the victim set included clinical providers, academic centers, military health institutions, professional advocacy groups, and health regulatory bodies.

The attackers appeared interested in more than medical data. Their collection priorities also included Indo-Pacific military operations, national defense intelligence, AI research, uncrewed vehicle systems, offensive cyber programs, and other advanced technologies.

Google attributed the activity to UNC6508 with high confidence. The company said the campaign’s targeting, infrastructure, and use of the INFINITERED backdoor aligned with espionage activity and intelligence priorities associated with PRC state interests.

Target area	Why it mattered
Medical research	Clinical trials, drug discovery, disease research, and public health data can hold scientific and strategic value.
Military health institutions	Research tied to military readiness and defense health systems can support broader intelligence collection.
AI and uncrewed systems	Advanced technology programs are high-value targets for espionage and competitive advantage.
Cyber programs	Offensive and defensive cyber research can expose tools, methods, and planning priorities.

REDCap Servers Were the Entry Point

REDCap is a web-based application used to build and manage online surveys and databases. The official REDCap website says the platform is designed for data capture in research studies and operations, including environments that require health and privacy compliance.

Google said it could not confirm the exact initial access method. However, UNC6508 consistently targeted REDCap servers and probed for legacy, vulnerable versions that were still present alongside current installations.

This matters because old software can remain reachable even after administrators install a newer version. If a legacy REDCap instance stays on the same system, attackers may still find and exploit the older code path.

INFINITERED Hid Inside REDCap

After gaining a foothold, UNC6508 deployed a custom malware payload called INFINITERED. Google said the malware trojanized legitimate REDCap system files and ran through three main components: an upgrade interceptor, a credential harvester, and a backdoor.

The upgrade component helped the malware survive software updates. It injected malicious code into new REDCap upgrade packages and used a GUID delimiter to extract and reinsert its own logic during the update process.

The credential harvester captured usernames and passwords submitted through REDCap login requests. It then encrypted the stolen credentials and hid them inside a legitimate REDCap sessions database table.

INFINITERED component	Function	Risk
Upgrade interceptor	Injects malicious code into REDCap upgrade files	Allows persistence even after software updates
Credential harvester	Captures plaintext login credentials from POST requests	Gives attackers access to legitimate accounts
Backdoor	Uses HTTP cookie commands to execute actions	Supports command execution, SQL queries, file transfer, and beaconing

The Backdoor Used HTTP Cookies for Commands

INFINITERED’s backdoor activated on REDCap page loads and listened for a specific cookie parameter named REDCAP-TOKEN. When the cookie contained a valid encrypted payload, the malware decrypted it and executed commands.

The backdoor could run shell commands, execute SQL queries, upload files, download files, retrieve stolen credentials, and beacon system information. Google said it discovered INFINITERED across multiple organizations in the US and Canada and notified affected entities.

The campaign shows why defenders need to inspect web application files, not just network traffic. Malware that lives inside legitimate application code can remain quiet for long periods while harvesting credentials and waiting for commands.

Google Workspace Rules Were Abused for Email Theft

After stealing credentials and moving deeper into one victim network, UNC6508 gained access to a domain administrator account. The attackers then abused Google Workspace content compliance rules to silently copy sensitive emails.

Google Workspace allows administrators to create advanced Gmail content filtering rules. Google’s content compliance documentation explains that rules can apply to inbound, outbound, or internal messages and can match message content through configured expressions.

UNC6508 created a rule named “Patroit,” a misspelling of “Patriot.” The rule used regular expressions to match nearly 150 keywords, search terms, email addresses, and phone numbers. Matching emails were silently BCC-forwarded to an attacker-controlled Gmail account.

The Keyword List Showed Strategic Intelligence Goals

The “Patroit” rule searched for terms tied to military strategy, advanced technology, AI, cyber programs, and medical research. Google said several terms had spelling errors, suggesting the list was manually maintained.

One term stood out: “Chikungunya.” Google noted that the mosquito-borne virus caused an outbreak in China’s Guangdong province beginning in July 2025, which may point to mission-specific medical intelligence collection.

The technique also avoided the need for a separate email exfiltration tool. Once the rule was active, the victim’s own cloud email system copied messages that matched the attackers’ criteria.

• The rule name was “Patroit.”
• The exfiltration account was a Gmail address controlled by the attackers.
• The rule matched nearly 150 keywords and contact patterns.
• Matched messages were silently BCC-forwarded.
• Google disabled the attacker-controlled Gmail account after discovery.

Attackers Used US-Based Obfuscation Networks

Google said UNC6508 relied heavily on obfuscation networks to hide activity. The group routed traffic through compromised routers, residential proxies, VPS infrastructure, and other devices.

In this campaign, Google observed the attackers using US-based obfuscation IP addresses when accessing the attacker-controlled Gmail account and when replaying legitimate credentials to access an enterprise administrator account.

That approach complicated detection and attribution. From a defender’s point of view, malicious activity could appear to come from residential or local infrastructure rather than obvious foreign-hosted command infrastructure.

How Defenders Should Respond

Organizations that run REDCap should patch to the latest version and remove older installations completely. The GTIG advisory specifically warns against leaving legacy REDCap versions available beside current deployments.

Research organizations should also audit web application directories for modified REDCap files, unknown PHP web shells, and INFINITERED indicators. The public REDCap project remains widely used in medical and academic research, which makes exposed deployments valuable targets for espionage groups.

Email administrators should review Gmail routing and compliance settings for unauthorized BCC rules, suspicious keyword filters, and external recipients. The Gmail compliance rule guide shows how powerful these admin features can be when configured by a legitimate administrator, which is why attackers seek admin-level access.

• Patch REDCap and remove legacy versions from production servers.
• Scan REDCap systems for INFINITERED using Google’s YARA rule and IOCs.
• Search for the web shell name help.php and unexpected modified PHP files.
• Audit content compliance and mail-forwarding rules for silent BCC actions.
• Require phishing-resistant 2-Step Verification for administrators.
• Send Workspace audit logs and REDCap server logs to a SIEM.
• Monitor for logins from residential proxy and compromised router infrastructure.
• Use DLP controls to detect unusual research data movement.

Why the Campaign Matters

The campaign highlights the strategic value of medical research environments. These organizations often hold clinical data, research results, collaboration records, trial information, and national security-related medical research.

Reuters noted that the organizations described by Google collectively employ thousands of people and manage research budgets in the billions of dollars. That makes them attractive targets for long-term espionage, not just opportunistic cybercrime.

The most concerning part of the campaign is its patience. UNC6508 did not rely on noisy ransomware or quick data theft. It embedded itself in trusted research infrastructure, harvested credentials, gained administrator access, and used a legitimate email feature to collect messages quietly.

For medical, academic, and defense-linked research organizations, the lesson is clear. Public-facing research platforms and cloud email rules need the same level of monitoring as traditional endpoints and network perimeter tools.

FAQ