Overview
- Google disclosed Monday that a China-linked cluster it calls UNC6508 operated from September 2023 through November 2025 and compromised multiple medical, academic and military research organizations in the United States and Canada.
- Attackers gained entry by probing externally facing REDCap servers and three months after initial access they deployed a bespoke malware called INFINITERED that trojanized REDCap files to harvest credentials and survive upgrades.
- Using stolen admin credentials the group created a content compliance rule named “Patroit” that automatically BCCed nearly 150 keyword‑matched emails to an attacker Gmail account that Google has since disabled.
- GTIG found the campaign showed strong operational security, including U.S.-based residential proxies and credential replay, and Google said it notified affected organizations, disrupted some infrastructure, and published IoCs and YARA rules to aid defenders.
- The collection focused on medical research, AI, unmanned systems and military topics, which GTIG says aligns with historic PRC intelligence priorities, and the group remains assessed as active with additional compromises still under investigation.