PRC-Linked Threat Actors Target REDCap Servers to Spy on U.S. Medical Research Organizations
FHN 
Security researchers from Google Threat Intelligence Group (GTIG) uncovered a long-running cyber espionage campaign attributed to UNC6508, a PRC-linked threat actor that targeted medical, academic, and military research institutions across North America. The attackers remained undetected for more than a year while collecting sensitive information related to medical research, artificial intelligence, defense intelligence, cyber operations, and military strategy.
The campaign primarily focused on compromising REDCap (Research Electronic Data Capture) servers, a widely used platform for managing clinical research databases and surveys. After gaining access, the attackers deployed custom malware called INFINITERED, harvested credentials, established persistence, and later abused enterprise email compliance rules to exfiltrate sensitive communications.
Campaign Overview
The operation demonstrates a sophisticated attack chain combining exploitation of public-facing applications, credential theft, malware deployment, persistence mechanisms, and stealthy data exfiltration.
Key Objectives
- Medical research intelligence
- Artificial Intelligence research
- Defense-related information
- Military health research Public health policy data
Researchers observed the activity from September 2023 through November 2025, indicating a highly patient and well-resourced espionage operation.
High-level attack flow used by UNC6508 to compromise research institutions and steal sensitive information.
Initial Access Through REDCap Servers
Why REDCap Was Targeted
REDCap is extensively used across:
- Hospitals
- Clinical research organizations
- Universities
- Government research programs
- Military health institutions
Because REDCap stores large volumes of research and patient-related information, it provides an attractive entry point for espionage-focused threat actors.
Researchers observed the attackers probing and exploiting vulnerable or legacy REDCap deployments exposed to the internet. Once access was obtained, they began internal reconnaissance and credential discovery activities.
Web Shell Deployment and Persistence
Following successful compromise, UNC6508 deployed a web shell identified as:
help.phpThe web shell served multiple purposes:
- Persistent access
- File uploads
- Command execution
- Further malware deployment
This allowed the attackers to maintain long-term access even if passwords were changed or some security controls were implemented.
INFINITERED Malware Analysis
Three months after the initial intrusion, researchers observed deployment of a custom malware family called INFINITERED. This malware was specifically engineered to operate inside REDCap environments.
Modular architecture of INFINITERED malware used by UNC6508 to maintain persistence, harvest credentials, and execute commands within compromised REDCap environments.
Component 1 – Upgrade Interceptor
The malware monitors REDCap upgrade activities.
When administrators update REDCap, the malware automatically injects itself into newer versions, ensuring persistence across software upgrades
Component 2 – Credential Harvester
This module captures usernames and passwords entered into REDCap login pages.
Stolen credentials are stored within REDCap database tables and later retrieved by attackers.
Component 3 – Command-and-Control Backdoor
The third module acts as a fully functional backdoor.
Researchers found it could:
- Execute shell commands
- Upload files
- Download files
- Run SQL queries
Communication was hidden within HTTP cookie values, helping evade traditional detection mechanisms.
Abuse of Google Workspace for Data Exfiltration
One of the most interesting aspects of the campaign was the attackers’ use of legitimate Google Workspace functionality.
After obtaining administrative access, UNC6508 created a content compliance rule named:
PatroitThe rule automatically monitored emails containing specific keywords and forwarded matching messages to attacker-controlled Gmail accounts.
Attack Chain Breakdown
- External Reconnaissance
- Initial Compromise
- Persistence
- Privilege Escalation
- Intelligence Gathering
Potential Impact on Organizations
Organizations affected by this campaign could experience:
Research Theft
Loss of valuable intellectual property and scientific research.
Strategic Intelligence Exposure
Disclosure of defense and geopolitical information.
Credential Compromise
Unauthorized access to enterprise systems.
Regulatory Risks
Exposure of regulated healthcare and research data.
Alternative Indicators of Compromise (IOCs)
| IOC Category | Description |
|---|---|
| Web Shell | help.php |
| Malware Family | INFINITERED |
| Email Rule Name | Patroit |
| Activity | Unauthorized REDCap upgrades |
| Activity | Suspicious credential harvesting |
| Activity | Unexpected SQL queries |
| Activity | Abnormal Gmail forwarding rules |
| Activity | Unauthorized admin account access |
| Activity | HTTP cookie-based command execution |
| Activity | Unusual database access patterns |
Security Recommendations
Upgrade REDCap Immediately
Remove legacy versions and apply the latest security updates.
Conduct Threat Hunting
Search for:
- help.php
- INFINITERED artifacts
- Unauthorized admin activity
- Credential harvesting indicators
The UNC6508 campaign highlights how modern nation-state threat actors are increasingly targeting research ecosystems to obtain strategic intelligence. By exploiting REDCap servers, deploying INFINITERED malware, and abusing legitimate cloud email features, the attackers maintained access for more than a year while collecting sensitive medical, defense, and technology research data. Organizations operating research platforms should prioritize patching, continuous monitoring, and proactive threat hunting to defend against similar espionage campaigns.
About the Author
