Google’s Threat Intelligence Group (GTIG) has disclosed details of a prolonged cyber espionage campaign attributed with high confidence to a China linked threat cluster identified as UNC6508, which reportedly infiltrated medical, academic, military, and research institutions across North America and remained undetected for more than a year. According to Google, the threat actors targeted organizations in United States and Canada, including clinical providers, military health institutions, academic centers, advocacy organizations, and health regulators, with the apparent objective of quietly collecting sensitive research and defense related communications. Researchers stated that the attackers initially gained access through compromised REDCap servers, later abusing legitimate Google Workspace administrative features to exfiltrate email content matching carefully selected intelligence related keywords. Google confirmed that affected organizations were notified and that infrastructure associated with the operation has since been disrupted.
According to GTIG, the campaign began with the compromise of externally exposed REDCap servers, a web platform widely used by hospitals, universities, and research institutions for study database management and research data collection. While Google has not identified the exact method used to gain initial access, cybersecurity researchers observed activity targeting outdated and vulnerable REDCap versions. Approximately three months after infiltrating systems, the threat group reportedly deployed custom malware called INFINITERED, designed specifically to modify REDCap’s system files and maintain persistence across software updates. Researchers explained that the malware altered the REDCap upgrade mechanism to automatically restore malicious code during future updates rather than being removed. In addition, INFINITERED reportedly harvested usernames and passwords entered through REDCap login pages and stored them in encrypted local database tables while also functioning as a backdoor capable of receiving commands through HTTP cookies during routine page activity. Google stated that the earliest known signs of compromise date back to September 2023, with activity continuing through November 2025. Following access to compromised servers, UNC6508 reportedly conducted internal reconnaissance, extracted service account and database credentials, and later expanded access across internal networks to obtain domain administrator privileges.
Researchers stated that once administrative access had been secured, the attackers shifted attention to email collection using Google Workspace content compliance rules, a legitimate administrative function commonly used to monitor and filter email communications. Rather than deploying separate malware or relying on suspicious network transfers, the group reportedly created a content compliance rule named “Patroit,” apparently a misspelled variation of “Patriot,” to monitor email communications for nearly 150 keywords, targeted search phrases, and email addresses aligned with its intelligence priorities. When messages matched configured criteria, Google Workspace automatically and silently copied communications through blind carbon copy functionality to a Gmail account controlled by the attackers, which has since been disabled by Google. Researchers noted that this approach allowed email exfiltration without creating unusual network activity or installing additional tools on mail systems, making detection significantly more difficult. Google described this as a notable tactic because, while email forwarding abuse has long been recognized in cybersecurity frameworks such as MITRE, the use of content compliance rules for intelligence gathering had not previously been publicly associated with a China linked threat actor.
According to GTIG, the targeted keywords reflected intelligence interests involving military strategy, advanced technology, artificial intelligence, uncrewed systems, cyber operations, geopolitical policy, and medical research. Researchers highlighted the appearance of “chikungunya” among monitored terms, referencing the mosquito borne virus associated with an outbreak reported in China’s Guangdong province during 2025. Google has advised organizations using REDCap to update internet facing servers immediately and remove outdated versions entirely, warning that legacy installations running alongside newer versions may enable downgrade attacks. Security teams are also encouraged to review Google Workspace or comparable cloud email systems for suspicious content compliance and forwarding rules, audit administrative changes, examine indicators linked to INFINITERED malware, and implement phishing resistant multi factor authentication for administrator accounts to reduce the risk of unauthorized access and covert email collection.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
