DEV Community

Diego Diaz
Diego Diaz

Posted on • Originally published at sable.somoswilab.com

UNC6508: PRC Spies Exploit REDCap Servers to Infiltrate US Medical Research for 2 Years

What Happened

A threat actor tracked as UNC6508 — a China-nexus espionage group — infiltrated US medical research institutions and remained undetected inside their networks from September 2023 through at least November 2025, according to Google's Threat Intelligence team. The campaign targeted academic medical centers, private research organizations, military health institutions, and regulatory bodies across North America.

What makes this operation notable is not just its duration or targets, but the attacker's patience: UNC6508 spent nearly two years quietly embedded in research environments, exfiltrating sensitive data while blending into daily institutional workflows. The campaign was also covered by CyberSecurityNews and GBHackers, which independently confirmed the scope of the intrusion.

Technical Analysis

Initial Access via Legacy REDCap. UNC6508 gained initial access by exploiting legacy, unpatched versions of REDCap — an open-source electronic data capture platform widely used in clinical and academic research. Attackers specifically targeted institutions running legacy REDCap instances alongside current versions, allowing them to exploit known vulnerabilities in the older installation while remaining unnoticed.

Web Shell Deployment (help.php). After gaining access, the actors deployed a web shell named help.php on compromised REDCap servers, establishing persistent remote access to the underlying infrastructure.

INFINITERED Malware — a Three-Component Toolkit. UNC6508 deployed a custom malware family dubbed INFINITERED, consisting of three distinct components: a dropper that injects itself into upgrade packages to survive legitimate software updates, surviving patches that would normally eliminate compromise; a credential harvester that captures plaintext credentials from POST requests passing through the web application; and a C2 backdoor that receives commands via the REDCAP-TOKEN cookie, blending malicious communications with legitimate application traffic.

Novel Exfiltration: Abuse of Google Workspace Compliance Rules

Perhaps the most ingenious aspect of the campaign was the exfiltration method. UNC6508 created a mail compliance rule inside compromised institutions' Google Workspace environments — named "Patroit" — that used regex patterns to match intelligence-related keywords in emails. Any email matching these patterns (related to medical research, military health topics, etc.) was silently BCC-reenviated to a Gmail account controlled by the actor.

This approach provided several advantages for the attacker: encrypted email transit to Google's servers (no suspicious outbound connections), institutional trust in Google Workspace reducing suspicion, and a self-sustaining collection pipeline that operated automatically once the rule was in place.

Who's Affected

The campaign's targeting profile indicates strategic intelligence gathering rather than financial gain:

  • Academic medical centers — university-affiliated research hospitals across North America

  • Private medical research organizations — pharmaceutical and biotech research companies

  • Military health institutions — Department of Defense medical research facilities

  • Regulatory bodies — organizations involved in medical device and drug approval processes

The scope of compromised data — spanning clinical trial data, unpublished research findings, patient studies, and military health intelligence — represents a significant strategic intelligence haul for the PRC's biomedical and defense research sectors.

How to Protect Your Organization

1. Enforce 2SV on all admin accounts. Require two-step verification for all users with administrative privileges on REDCap servers and connected systems. Credential harvesting was a core component of this campaign, and 2SV directly mitigates stolen credentials.

2. Eliminate or update legacy REDCap instances. Audit your network for outdated REDCap deployments running alongside current versions. The coexistence of legacy and modern instances was the primary attack vector. Uninstall legacy versions entirely.

3. Audit compliance/mail forwarding rules. Review all content compliance and mail routing rules in Google Workspace (or equivalent platforms) for unauthorized rules with regex patterns or external forwarding addresses. Pay special attention to rules named generically or with automated-sounding labels.

4. Monitor REDCap file integrity. Deploy file integrity monitoring on REDCap web directories, specifically watching for unexpected PHP files like help.php. Google's Threat Intelligence team has published YARA rules and IOCs for INFINITERED.

5. Network segmentation for research infrastructure. Isolate REDCap servers from broader institutional research networks to limit lateral movement in case of compromise.

The Sable Angle

UNC6508's campaign against medical research is a textbook example of a persistent, low-and-slow intrusion designed to exfiltrate strategic intelligence over extended periods. The group's exploitation of legacy software alongside current versions, custom multi-component malware that survives updates, and abuse of trusted platforms like Google Workspace for exfiltration reflects a mature adversary operating with patience and operational security.

At Sable, our offensive security researchers regularly encounter similar persistence mechanisms and understand how threat actors exploit the gaps between legacy and modern infrastructure. Similar research-focused threats continue to emerge — from critical CVEs in research platforms to supply chain compromises targeting healthcare organizations.

Top comments (0)