Fast Facts
- UNC6508 exploited externally facing REDCap servers, deploying the custom malware INFINITERED to harvest credentials and covertly exfiltrate sensitive research data over a year.
- They pivoted inside networks using stolen credentials, manipulating domain compliance and abusing enterprise tools to remain undetected while targeting high-value national security and medical research assets.
- The campaign resulted in long-term access, data theft, and email BCC-forwarding to threat actors, undermining institutional confidentiality and security across North American research organizations.
Threat, Techniques, and Targets
Google Threat Intelligence Group (GTIG) found a sophisticated campaign linked to UNC6508, a threat group from China. For over a year, this group remained undetected while attacking North American medical, military, and academic organizations. They first broke into externally faced web applications, especially REDCap servers used for research data. The attackers used custom malware called INFINITERED to capture login details. They then used these credentials to access internal systems. To hide their actions, they manipulated domain rules for safe data exit and employed advanced operational security tactics. Their goal was broad. They aimed to gather sensitive defense information, artificial intelligence research, medical innovations, and military data. The attack pattern shows a focus on high-value targets with large research budgets. The campaign started in September 2023 and continued into late 2025.
Impact, Security Issues, and Guidance
This campaign could have serious consequences. If attackers gain access to sensitive medical or defense data, they could undermine national security or compromise medical research. The use of custom malware and sophisticated tactics makes detection difficult. Organizations should strengthen their security measures. They should enforce two-step verification for admin accounts and consider additional protections for critical systems. Monitoring audit logs and implementing data loss prevention policies can prevent data leaks. Fully updating REDCap systems and scanning for malware like INFINITERED is essential. It is also recommended to work with security experts, such as Mandiant, and get tailored remediation steps from vendors or authorities. Overall, maintaining strong security practices is crucial to reduce risk and detect malicious activity early.
Expand Your Tech Knowledge
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
