

























Google’s Threat Intelligence Group (GTIG) uncovered a long-running Chinese cyber-espionage campaign targeting North American medical, academic, and military research institutions that remained undetected for over a year.
GTIG has attributed the campaign with high confidence to UNC6508, a People’s Republic of China (PRC)-nexus threat actor with clear espionage motivations.
The group’s collection priorities, national defense intelligence, Indo-Pacific military operations, artificial intelligence, uncrewed vehicle systems, offensive cyber programs, and medical research are closely aligned with the strategic interests of the Chinese state.
The earliest known compromise dates back to September 2023, with activity observed continuously through November 2025.
The campaign’s initial foothold began with externally facing REDCap (Research Electronic Data Capture) servers, a widely used web-based platform in North American medical and scientific research communities.
While GTIG could not confirm the exact initial access vector, UNC6508 was observed actively probing for legacy, unpatched REDCap versions running alongside current installations a classic downgrade attack (MITRE ATT&CK T1689).

Upon gaining entry, the threat actor deployed a web shell named help.php, performed internal reconnaissance, and harvested database and service account credentials.
Three months after the initial compromise, UNC6508 deployed INFINITERED, a sophisticated, modular malware that trojanizes legitimate REDCap system files.
It operates through three key components:
INFINITERED was discovered across multiple organizations in both the US and Canada. After more than a year of silent access, UNC6508 escalated by using harvested credentials to access a domain administrator account.

The group then abused content compliance rules, a legitimate Google Workspace feature, to silently BCC-forward sensitive emails to an attacker-controlled Gmail account: BebitaBarefoot774[@]gmail[.]com.
The rule, named “Patroit” (a misspelling of “Patriot”), used regular expressions to match nearly 150 keywords spanning military strategy, AI research, cyber programs, and medical topics.
GTIG notes that this technique, using domain content compliance rules for data exfiltration, had never previously been observed from a PRC-nexus actor.
One keyword stood out: “Chikungunya,” the mosquito-borne virus responsible for a July 2025 outbreak in China’s Guangdong province, suggesting real-time, mission-specific intelligence tasking.
UNC6508 used US-based obfuscation (OBF) networks to route traffic through compromised ASUS routers, residential proxies, and VPS infrastructure to avoid detection and complicate attribution.
GTIG disrupted the malicious infrastructure and deactivated the Gmail exfiltration account upon discovery. GTIG and Mandiant Consulting recommend the following immediate actions:
GTIG has updated Google Security Operations (SecOps) with all relevant IOCs and has notified affected organizations directly.
Indicators of Compromise (IOCs):
| Category | Indicators |
|---|---|
| Network | BebitaBarefoot774[@]gmail[.]com, 23.169.65.49 |
| Web Shell | help.php, SHA256: ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7 |
| Credential Harvesters | db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136, c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b |
| Backdoors | 8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec, 51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045 |
| Droppers | 4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b, 58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86 |
| Host Indicators | REDCAP-TOKEN, xc32038474a, b49e334d-9c01-463e-9bc5-00a6920fb66e, YjQ5ZTMzNGQtOWMwMS00NjNlLTliYzUtMDBhNjkyMGZiNjZl, ej671a16i7fd8202nu6ltfg5p6x7u |
| Persistence | Modified Upgrade.php, AWS Elastic Beanstalk persistence |
| Exfiltration | “Patroit” email-forwarding rule to attacker Gmail |
| C2 Functions | Remote shell, file upload/download, SQL execution, credential theft, anti-forensics |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。