Google threat hunters spotted yet another Chinese state-sponsored espionage group that for years had burrowed into systems belonging to government and private organizations to steal data across academia, medicine, military, cybersecurity and foreign policy. 

Google Threat Intelligence Group discovered the previously unknown threat group UNC6508, which targeted organizations in the United States and Canada, in late 2025 but traced its earliest known compromise back to September 2023. 

The revelation mirrors an alarming pattern of Chinese espionage groups dropping backdoors into critical infrastructure to pre-position for potential sabotage, intercept research and steal data with national security implications. These groups working at the behest of China’s government, including UNC6508, operated in stealth for years before authorities or researchers discovered their activity.

“We don’t know the full extent or impact of the campaign,” Patrick Whitsell, senior security engineer at GTIG, told CyberScoop. Researchers said the threat group intruded a medical research university in September 2023, stole credentials and communications, and remained active on the institution’s systems through November 2025 when it was discovered.

Google said it confirmed multiple victims compromised with INFINITERED, a custom backdoor the threat group deployed on targeted networks to steal administrative credentials after it exploited externally facing REDCap (Research Electronic Data Capture) servers.

Researchers still don’t know how UNC6508 gained initial access to the REDCap servers. Google said the survey and database software, which was created at Vanderbilt University and issued multiple patches for critical remote-code execution vulnerabilities throughout 2023, is widely used across the medical research community. 

“Given the breadth of the threat actor’s intelligence collection criteria and their ability to remain undetected within compromised networks for more than a year, we assess the known victims likely represent only a fraction of a larger campaign,” Whitsell said. “We also assess that this highly capable threat actor will remain active and continue to be a threat to the defense, technology and medical industries for the foreseeable future.”

Google said the campaign targeted clinical providers, academic medical centers and U.S. military health institutions, demonstrating advanced capabilities from a threat group that doesn’t currently overlap with any other publicly known groups.

The threat group abused domain compliance rules to steal data, a technique that doesn’t rely on malware or living-off-the-land tools, and routed traffic through U.S.-based IPs to blend in with legitimate traffic, researchers said.

“We have some evidence to suggest this is a large threat group with multiple sub-teams, but this is not confirmed,” Whitsell said.

Like other previously identified China state-sponsored espionage groups, UNC6508 remains active.

Google said it disrupted some of UNC6508’s known infrastructure by disabling an Gmail account it used to exfiltrate data, notified the affected organizations and helped remediate compromises before it published research on UNC6508’s activities.

Whitsell said several unconfirmed instances of compromise remain under investigation.