Google’s Threat Intelligence Group (GTIG) uncovered a long-running Chinese cyber-espionage campaign targeting North American medical, academic, and military research institutions that remained undetected for over a year.
GTIG has attributed the campaign with high confidence to UNC6508, a People’s Republic of China (PRC)-nexus threat actor with clear espionage motivations.
The group’s collection priorities, national defense intelligence, Indo-Pacific military operations, artificial intelligence, uncrewed vehicle systems, offensive cyber programs, and medical research are closely aligned with the strategic interests of the Chinese state.
The earliest known compromise dates back to September 2023, with activity observed continuously through November 2025.
PRC-Nexus Hackers Exploit REDCap Servers
The campaign’s initial foothold began with externally facing REDCap (Research Electronic Data Capture) servers, a widely used web-based platform in North American medical and scientific research communities.
While GTIG could not confirm the exact initial access vector, UNC6508 was observed actively probing for legacy, unpatched REDCap versions running alongside current installations a classic downgrade attack (MITRE ATT&CK T1689).
Campaign attack flow diagram (Source: Google)
Upon gaining entry, the threat actor deployed a web shell named help.php, performed internal reconnaissance, and harvested database and service account credentials.
Three months after the initial compromise, UNC6508 deployed INFINITERED, a sophisticated, modular malware that trojanizes legitimate REDCap system files.
It operates through three key components:
Dropper/Upgrade Interceptor: Injects malicious code into new REDCap upgrade packages, ensuring persistence even after software updates using a hardcoded GUID delimiter (b49e334d-9c01-463e-9bc5-00a6920fb66e).
Credential Harvester: Captures plaintext usernames and passwords from POST login requests, encrypts them, and stores them covertly in the REDCap sessions database under the prefix xc32038474a.
Backdoor with C2: Activates on every REDCap page load, listens for a specific HTTP Cookie parameter REDCAP-TOKEN, and supports commands including remote shell execution, SQL queries, file upload/download, and system beaconing.
INFINITERED was discovered across multiple organizations in both the US and Canada. After more than a year of silent access, UNC6508 escalated by using harvested credentials to access a domain administrator account.
INFINITERED diagram (Source: Google)
The group then abused content compliance rules, a legitimate Google Workspace feature, to silently BCC-forward sensitive emails to an attacker-controlled Gmail account: BebitaBarefoot774[@]gmail[.]com.
The rule, named “Patroit” (a misspelling of “Patriot”), used regular expressions to match nearly 150 keywords spanning military strategy, AI research, cyber programs, and medical topics.
GTIG notes that this technique, using domain content compliance rules for data exfiltration, had never previously been observed from a PRC-nexus actor.
One keyword stood out: “Chikungunya,” the mosquito-borne virus responsible for a July 2025 outbreak in China’s Guangdong province, suggesting real-time, mission-specific intelligence tasking.
UNC6508 used US-based obfuscation (OBF) networks to route traffic through compromised ASUS routers, residential proxies, and VPS infrastructure to avoid detection and complicate attribution.
Defensive Recommendations
GTIG disrupted the malicious infrastructure and deactivated the Gmail exfiltration account upon discovery. GTIG and Mandiant Consulting recommend the following immediate actions:
Patch REDCap to the latest version and completely remove all legacy installations.
Enforce phishing-resistant 2-Step Verification (2SV) for all administrator accounts.
Scan REDCap servers for INFINITERED using the published YARA rule.
Audit content compliance rules in cloud mail suites for unauthorized BCC-forwarding configurations.
Deploy Device Bound Session Credentials (DBSC) to prevent session cookie theft.
Enable DLP rules and SIEM logging to detect anomalous data movement and email forwarding.
GTIG has updated Google Security Operations (SecOps) with all relevant IOCs and has notified affected organizations directly.
Indicators of Compromise (IOCs):
CategoryIndicatorsNetworkBebitaBarefoot774[@]gmail[.]com, 23.169.65.49Web Shellhelp.php, SHA256: ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7Credential Harvestersdb65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136, c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5bBackdoors8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec, 51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045Droppers4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b, 58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86Host IndicatorsREDCAP-TOKEN, xc32038474a, b49e334d-9c01-463e-9bc5-00a6920fb66e, YjQ5ZTMzNGQtOWMwMS00NjNlLTliYzUtMDBhNjkyMGZiNjZl, ej671a16i7fd8202nu6ltfg5p6x7uPersistenceModified Upgrade.php, AWS Elastic Beanstalk persistenceExfiltration“Patroit” email-forwarding rule to attacker GmailC2 FunctionsRemote shell, file upload/download, SQL execution, credential theft, anti-forensics
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions appeared first on Cyber Security News.
