A China-linked espionage group, tracked by Google Threat Intelligence Group as UNC6508, compromised a North American medical research organization through exposed REDCap servers and operated undetected for over 14 months, from September 2023 to November 2025.
REDCap is the workhorse platform for clinical trials, public health surveys, and molecular research databases. UNC6508 exploited older, vulnerable versions of the platform to gain a foothold. Three months after initial compromise, they deployed a custom malware suite called InfiniteRed, specifically tailored for REDCap systems.
The InfiniteRed Malware Trio
InfiniteRed consists of three components: a persistence and update module, a credential harvester, and a full-featured backdoor. The credential harvester captures usernames and passwords submitted through REDCap login pages, encrypts them, and stores them in local REDCap database tables for later retrieval.
The backdoor communicates via HTTP cookies and gives UNC6508 the ability to execute shell commands, upload and download files, run arbitrary SQL queries, retrieve stolen credentials, and return system information. They hid the malware by trojanizing the server's own system files.
The 'Patroit' Rule: Legitimate Feature, Illicit Exfil
UNC6508's most notable technique - and new for China-linked threat actors - is weaponizing a legitimate Office 365 feature. After gaining administrator access, they created a content compliance rule named "Patroit" that scans the organization's email for specific keywords, content patterns, email addresses, and phone numbers.
Any matches are automatically BCC'd to [email protected] (now disabled by Google). The targeted keywords span medical research, advanced technology, military topics, and geo-strategic policy. This is a classic living-off-the-land approach: using the victim's own productivity tools to exfiltrate data without triggering network-level alarms.
Operational Security and Detection
GTIG observed high operational security across the campaign. UNC6508 used US-based residential proxy infrastructure, compromised routers, VPNs, credential replay, and dedicated infrastructure for data exfiltration. Google notified multiple organizations in the U.S. and Canada compromised with InfiniteRed.
REDCap administrators should upgrade to the latest version, remove legacy deployments, enforce MFA on high-privilege accounts, and enable Device Bound Session Credentials (DBSC) to block session hijacking. GTIG published YARA rules and indicators of compromise in their report - run them against every REDCap server you control. This campaign proves that the most dangerous attack is the one that uses your own infrastructure against you, and it will not be the last time Office 365 compliance rules get abused for espionage.
Source: Chinese hackers breach REDCap servers, steal medical research
Domain: bleepingcomputer.com
Comments load interactively on the live page.