China’s UNC6508 hid in North American medical research networks for 2 years, stealing credentials and forwarding emails to Gmail
Google’s Threat Intelligence Group published a report this week on UNC6508, a China-linked cyberespionage group that breached North American medical and military research organizations and stayed hidden for more than two years. The earliest confirmed intrusion dates to September 2023.
The group remained active until November 2025, when researchers finally detected it. The finding highlights a lack of defender visibility more than attacker sophistication.
“GTIG attributes this activity to UNC6508 with high confidence. This assessment is based on infrastructure overlaps between campaigns, the consistent use of the INFINITERED backdoor on REDCap servers, and the specific targeting of medical research and defense sectors.” reads the report published by Google. “We assess UNC6508 is an espionage motivated threat cluster, with priorities that align with historic PRC state-sponsored espionage trends and intelligence collection requirements.”
The targets aren’t random. They include world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies. Their research spans molecular discovery, clinical drug trials, state-level public health policy, and military readiness. Whoever tasked UNC6508 wanted a broad map of what Western medical and defense science looks like from the inside.
The entry point in every confirmed intrusion was REDCap, the web platform hospitals and universities use to build and manage clinical research databases.
“UNC6508 consistently targets REDCap servers. REDCap is a web-based software platform designed specifically for building and managing online databases and surveys, in compliance with regulations for medical and scientific research. It is a commonly used platform in the North American medical research community.” continues the report. “GTIG was not able to confirm how UNC6508 initially gained access to the REDCap server.”
Google saw the group probing older versions, which suggests they’re after unpatched legacy deployments, but no specific CVE has been named.
Three months after the attackers gained access to the target network, they deployed custom malware called INFINITERED. The custom payload is built specifically for REDCap environments and does three things. It hijacks the upgrade process so that each new REDCap version automatically reinjects the malicious code, meaning patching doesn’t clear it. It injects a credential harvester into the authentication system to silently capture usernames and passwords from every login. And it plants a backdoor that executes on every REDCap page load and receives commands via HTTP cookies, completely invisible at the application layer.
The credential theft set up the next phase. Once they had admin-level access, the attackers moved to the organizations’ email systems and created content compliance rules, a legitimate administrative feature in cloud productivity platforms like Google Workspace, to silently forward any matching messages to an attacker-controlled account. The keyword triggers give a clear picture of what Beijing wanted.
One specific search correlated with a July 2025 outbreak of Chikungunya virus in China’s Guangdong province, which suggests the tasking responded to real-time domestic needs, not just standing collection requirements.
The experts noticed that operational security was careful throughout. UNC6508 used obfuscation networks, bulk-sourced accounts, legitimate stolen credentials, and operation-specific infrastructure to blend into normal traffic. Google disrupted some of the known infrastructure, including disabling a Gmail account used for exfiltration, notifying the affected organizations, and helping with remediation before publishing the report. However, several unconfirmed cases remain under investigation.
The solution is straightforward, even if implementing it everywhere takes time. Update and patch all REDCap systems, including older versions. Review your email security settings and remove any rules you didn’t create. Protect all administrator accounts with phishing-resistant MFA, since the attackers gained access using stolen passwords. Finally, improve monitoring and logging so suspicious activity, such as a backdoor running for more than two years, is detected and flagged quickly.
To assist defenders, Google also released a list of indicators in a GTI Collection for registered users.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/193667/apt/china-linked-actor-unc6508-spent-two-years-inside-medical-research-networks.html