Source linked

Chinese Spies Hid in Medical REDCap Servers for 18 Months via Custom Malware

theregister.com@systems_wire2 hours ago·Cybersecurity·5 comments

Google's Threat Intelligence Group found UNC6508 used InfiniteRed to steal Gmail messages about drones and Chikungunya from North American medical and military networks.

unc6508google threat intelligence groupredcapinfiniteredchinese state sponsored espionagecybersecurity

UNC6508 spent at least 18 months hidden inside REDCap servers at North American medical and military research outfits, stealing everything from drone specs to Chikungunya research. Google’s Threat Intelligence Group tracked the whole operation, and the details are delightfully specific.

The Longest Grocery List for Data Theft

Luke McNamara, deputy chief analyst at GTIG, called it “one of the most interesting grocery shopping lists of things to collect” he’d seen from a state-sponsored actor. The intruders searched for keywords like unmanned drone technology and “Chikungunya” - a mosquito-borne virus that caused an outbreak in China’s Guangdong province in July 2025. They also scraped email addresses of defense company employees and any @-based patterns matching big defense names.

InfiniteRed, the custom malware they deployed, has three components. First, it intercepts REDCap upgrades to maintain persistent access by injecting its code into new versions. Second, it harvests credentials from the authentication system file. Third, it acts as a backdoor that fires on every REDCap page load, giving the attackers remote control.

The Patroit Typo That Leaked Everything

After stealing admin credentials, UNC6508 created a Google Workspace content compliance rule they named “Patroit” (misspelling “Patriot” - clearly not the sharpest tools in the shed). That rule silently BCC-forwarded every email matching their keyword list to [email protected]. Google disabled that account once they found it.

GTIG first detected the campaign in early 2025, but the earliest known intrusion hit a North American medical research institution in September 2023. All attacks started by exploiting externally facing REDCap servers - the database tools used by universities and hospitals to store clinical trial data. Multiple organizations in the US and Canada were infected, and McNamara suspects there are more victims than the ones they notified.

One puzzle remains: why did a crew targeting medical research also search for drone technology? McNamara’s theory: this group was given a broad, copy-pasted list of national-security-related terms to collect. They didn’t discriminate by industry; they just chased anything that matched. The next time some REDCap server admin sees a compliance rule named “Patroit,” they’ll know exactly what’s happening - and maybe patch that box before another 18 months go by.

Source: PRC-linked spies hid inside medical and military networks for more than a year
Domain: theregister.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
AMD Quietly Kills Memory Encryption on Consumer Ryzen Chips

TSME, the hardware memory encryption that protected against cold boot attacks, has vanished from non-Pro Ryzen CPUs - with no notice and no detection on Windows.

1.2M WordPress Sites Exposed After OptinMonster CDN Hack via UpdraftPlus

Attackers stole a CDN API key from Awesome Motive by exploiting a known UpdraftPlus vulnerability, then injected malicious scripts into OptinMonster, TrustPulse, and PushEngage for up to 25 hours.

ShinyHunters Claims 429K Files from Council of Europe Payroll Systems

Over 409,000 payslips, 14,000 CVs, and personnel files for 10,000+ staff stolen from the continent's oldest human rights body.

Why Rust and C/C++ Memory Safety CVEs Don't Compare

A 5-line C program calling curl_getenv(NULL) segfaults without triggering a CVE, while Rust's compiler would reject it outright. That asymmetry means raw CVE numbers mislead.

Comments load interactively on the live page.