For over a year, a Chinese cyber-espionage operation silently infiltrated medical, academic, and military research networks across North America, siphoning off sensitive research data and defense-related emails.
The attackers gained access by exploiting a hidden entry point on REDCap research servers to swipe login credentials. What made the data theft particularly distinctive was how they did it: they manipulated their victims’ own Google Workspace email rules to automatically forward any messages containing their keywords to an inbox under their control.
In a report released this week, Google’s Threat Intelligence Group (GTIG) detailed the campaign and assigned it a high-confidence link to an effort it tracks as UNC6508.
This particular threat actor and its REDCap infiltration tool are not entirely new to security researchers. GTIG originally flagged both in February as part of a broader advisory on state-sponsored cyberattacks targeting the defense industry. At that time, GTIG did not disclose the impacted organizations, referring to them only as a mix of entities in the U.S. and Canada—such as clinical providers, academic institutions, military health bodies, advocacy groups, and health regulators.
According to Google, all affected parties were alerted, and the malicious infrastructure used by the group was shut down.
The Initial Breach
The attack began with REDCap (Research Electronic Data Capture), a widely adopted platform used by hospitals and universities to build and manage research databases. UNC6508 specifically targeted REDCap servers that were open to the internet.
GTIG has not identified the precise method the hackers used to first gain access, nor has it named the specific software vulnerability (CVE) involved or listed which versions were affected. However, the researchers noted that the group was actively scanning for older, unpatched instances of the software.
Roughly three months after the initial breach, the hackers deployed a custom malware variant GTIG calls INFINITERED. This tool corrupted the core system files of the REDCap installation to achieve three primary objectives.
- First, it tampered with the software’s update mechanism. This ensured that whenever the system was updated to a newer version, the malicious code would be re-injected rather than wiped out.
- Second, it functioned as a credential harvester, capturing usernames and passwords entered on the login screen and hiding them, encrypted, inside local database tables.
- Third, it operated as a persistent backdoor, executing instructions delivered via HTTP cookies every time a user loaded a web page.
The earliest confirmed intrusion occurred in September 2023, with the operation continuing through to November 2025. Once entrenched on the server, the hackers performed extensive internal surveillance, mapping the network and harvesting database credentials and service account logins. They then leveraged these pilfered credentials to move laterally through the network, eventually seizing control of a domain administrator account.
GTIG did not outline the exact tactics used to escalate privileges to the domain administrator level. However, once those rights were obtained, the group immediately pivoted to setting up their data exfiltration methods.
The Email Hijacking Technique
The actual data theft was carried out using the victim’s own existing infrastructure. UNC6508 exploited legitimate “content compliance rules” within Google Workspace. These administrative features are designed to scan emails for specific keywords and forward or copy those messages to a designated recipient.
While similar tools are available in other cloud-based email platforms, the attackers created a rule (misspelling “patriot” as “Patroit”) that monitored for nearly 150 different keywords, search terms, and specific email addresses. Whenever an incoming or outgoing message matched these criteria, the system would silently send a hidden copy (BCC) to a Gmail address owned by the hackers, which has since been deactivated. The operation left no trace of malware on the mail servers, required no separate data-exfiltration tools, and generated no unusual network traffic to raise alarms. They simply repurposed a standard administrative feature to funnel the organizations’ private communications directly to themselves.
While the abuse of email-forwarding rules is already a well-documented tactic in cybersecurity, GTIG noted that this is the first known instance of a China-linked group using domain-wide content compliance rules to perform this theft.
The keywords chosen for the email filter revealed UNC6508’s strategic interests: subjects related to global strategic policy, military planning and equipment, advanced technologies (including AI and drone programs), offensive cyber capabilities, and medical research. One keyword stood out due to its unusual specificity: chikungunya, referring to the mosquito-borne virus responsible for a significant outbreak in China’s Guangdong province throughout 2025.
Recommended Defensive Measures
First, focus on REDCap. Immediately patch all internet-facing servers and completely remove older software versions rather than just launching new updates alongside them. Because REDCap allows multiple legacy versions to run concurrently, it creates an opportunity for “downgrade attacks,” where an attacker forces the system to revert to a version with known vulnerabilities.
Next, audit your email configurations. Scrutinize your Google Workspace (or whichever platform is in use) administrative rules, specifically looking for any content compliance or forwarding rules that route mail to external addresses. Examine your administrative logs not just for what the current rules are, but for historical changes. Hunt for the indicators of compromise (IoCs) published by GTIG related to the INFINITERED malware. Finally, ensure all administrator accounts are protected with phishing-resistant Multi-Factor Authentication (MFA), as the entire email theft chain was ultimately dependent on those elevated permissions.
Despite the investigation, GTIG has yet to determine exactly how UNC6508 first gained access to the exposed REDCap servers. The primary takeaway for security teams is the mail forwarding rule. Once an attacker has administrative domain access, a built-in productivity feature like a compliance rule can become a silent and undetectable exfiltration pipeline—making regular audits of these administrative controls even more critical than the initial malware remediation.
