The Google Threat Intelligence Group (GTIG) uncovered a spying campaign attributed to the group UNC6508affiliated with China. Assets of September 2023 to November 2025attackers targeted a wide range of academic, medical and military research organizations in the United States and Canada.
Their goal was to collect strategic intelligence on topics as varied as defense, operations in the Indo-Pacific region, artificial intelligence and cutting-edge medical research.
How did the attackers manage to infiltrate?
The initial entry point was theoperation of REDCap serversa web application widely used in the research community for managing databases and online surveys.
While the exact access vector has not been formally identified, Google researchers observed that UNC6508 probed old and vulnerable versions of this solution.
About three months after the first compromises, the attackers deployed a custom malware named INFINITERED. Specifically designed for REDCap systems, it integrates unobtrusively into legitimate system files.
The malware performs three main functions: intercepting the update process to ensure its persistence, collecting login credentials and acting as a backdoor that can be controlled remotely via commands hidden in HTTP cookies.
What was their method of exfiltrating the data?
The most innovative part of this campaign lies in the data exfiltration technique, a method never before observed among actors linked to China.
After gaining administrator access using the stolen credentials, UNC6508 abused a legitimate functionality of Google Workspace : content compliance rules. These rules, designed to manage sensitive communications, have been diverted from their initial use.
The attackers created a rule, misspelled “Patroit”, that scanned all incoming and outgoing emails. If a message contained one of nearly 150 predefined keywords (related to geostrategy, military technologies or medical research), it was automatically and silently forwarded in hidden copy to a Gmail address controlled by the attackers.
This stealthy approach enabled continuous data exfiltration without generating suspicious network traffic or requiring additional malware tools on email servers.
Recommended protective measures
To protect against such threats, Google recommends several measures, including updating REDCap servers and removing old versions.
Administrators should also regularly audit compliance and email forwarding rules for unauthorized changes.
Deploying phishing-resistant multi-factor authentication on privileged accounts, such as administrators, remains a critical defense to prevent the initial access that makes this type of exfiltration possible.
