A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email.
The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration was the unusual part: the attackers rewired the victims’ own Google Workspace rules to copy any message matching their keywords to an inbox they controlled.
Google’s Threat Intelligence Group (GTIG) laid out the campaign in a report published this week and attributes it with high confidence to a cluster it tracks as UNC6508.
The actor and its REDCap backdoor are not new names; Google first surfaced both in February, in a wider report on state-backed attacks against the defense sector. It did not name the victims, describing them only as multiple organizations across the US and Canada: clinical providers, academic centers, military health institutions, advocacy groups, and health regulators.
Google says it notified them and disrupted the group’s infrastructure.
How they got in
The entry point was REDCap (Research Electronic Data Capture), a web platform that hospitals and universities use to build and manage study databases. UNC6508 compromised externally facing REDCap servers.
Google has not pinned down the initial access vector, named a specific CVE, or listed the affected versions, though it saw the group probing older, vulnerable ones.
Around three months after getting in, the group deployed custom malware GTIG calls INFINITERED, which trojanizes REDCap’s own system files and does three things.
- First, it hijacks the upgrade process so each new REDCap version reinjects the code instead of clearing it.
- Second, it harvests usernames and passwords from the login page and stores them, encrypted, in local database tables.
- Third, it acts as a backdoor, taking commands through HTTP cookies and running on every page load.
The earliest known compromise dates to September 2023, with activity continuing through November 2025. Once on the server, UNC6508 ran internal reconnaissance and credential discovery, pulling database and service account credentials, then used those logins to move into the internal network and on to a domain administrator account.
Google does not spell out the exact path to that admin account. With admin rights, the group set up the exfiltration.
How they stole the email
The exfiltration rode a feature that was already there. UNC6508 abused content compliance rules, a legitimate Google Workspace admin feature that scans mail for keywords and can copy or forward matching messages.
Similar features exist in other cloud mail suites. The group created a rule, misspelled “Patroit,” that watched for nearly 150 keywords, search terms, and email addresses. When a message matched, Workspace silently BCC’d it to an attacker-controlled Gmail address, which Google has since disabled. No malware on the mail server, no separate exfiltration tool, no unusual network traffic. Just a built-in mail feature, turned to copy the organization’s secrets to an inbox the attackers owned.
MITRE already catalogs email-forwarding-rule abuse as a known technique. What GTIG flags as new here is the use of domain content compliance rules to do it, a method it says it had not seen from a China-linked actor before.
The rule’s keywords mapped to UNC6508’s collection priorities: geo-strategic policy, military strategy and equipment, advanced technology including AI and uncrewed vehicles, offensive cyber programs, and medical research. One term stood out for its specificity, chikungunya, the mosquito-borne virus behind a 2025 outbreak in China’s Guangdong province.
What to do
Start with REDCap. Patch externally facing servers and remove old versions outright, not just alongside the current build. REDCap lets legacy versions run side-by-side, and that is what enables downgrade attacks, where an attacker forces software back to a known-vulnerable release.
Then check the mail side. Review Workspace, or equivalent, content compliance and mail-forwarding rules for anything that BCCs or reroutes mail to outside addresses. Check admin audit logs for when rules changed, not just what they say now. Pull GTIG’s published indicators and hunt for INFINITERED. And put phishing-resistant MFA on administrator accounts, since the whole mail-theft step hinged on admin access.
Google still does not know how UNC6508 first reached the REDCap servers. The part worth watching is the mail rule. Once attackers hold admin access, a built-in cloud feature can quietly become an exfiltration path, and that is what defenders need to audit, not just the REDCap backdoor.
