A China-linked espionage campaign has been uncovered targeting North American medical, academic, and defense-related institutions, where attackers reportedly remained undetected for more than a year while quietly exfiltrating sensitive research and government-linked communications.
The operation has been attributed with high confidence to a threat cluster tracked as UNC6508 by Google Threat Intelligence Group.
Long-Term Infiltration of Research and Defense Networks
According to researchers, the attackers gained initial access through compromised instances of REDCap (Research Electronic Data Capture), a widely used platform in hospitals and universities for managing clinical and research databases.
Once inside, the group maintained persistence for over a year, moving laterally across systems in organizations spanning:
- Medical research institutions
- Academic centers
- Military health environments
- Policy and healthcare regulatory bodies
The earliest known activity dates back to September 2023, with intrusions continuing until late 2025.
Malware Hidden Inside Research Platforms
Security analysts say the attackers deployed a custom backdoor dubbed INFINITERED, which modified REDCap system components to maintain long-term access.
The malware was designed to:
- Persist through software updates by reinfecting new versions
- Harvest login credentials from application login pages
- Execute remote commands via HTTP cookie-based requests
- Remain active during normal application usage
While the exact initial intrusion method remains unknown, researchers believe attackers may have exploited outdated or vulnerable REDCap deployments.
Credential Theft and Network Expansion
After compromising REDCap servers, the attackers collected database credentials and service account data. This allowed them to expand deeper into internal networks, eventually obtaining administrative-level access in some environments.
However, the most concerning stage of the attack was not malware-based—but instead relied on legitimate cloud platform features.
Google Workspace Rules Turned Into a Silent Data Exfiltration Tool
Once attackers gained administrative control, they abused a built-in feature in Google Workspace known as content compliance rules.
These rules are designed to scan emails for specific terms and automatically take actions such as copying or forwarding messages. The attackers weaponized this functionality by creating a rule that:
- Monitored nearly 150 sensitive keywords and email targets
- Silently copied matching emails
- Forwarded them to an external attacker-controlled Gmail account
The rule even included a deliberately misspelled keyword pattern, suggesting efforts to avoid detection.
Unlike traditional data theft methods, this approach generated no suspicious malware traffic—making it significantly harder for defenders to detect.
Intelligence Targets and Strategic Focus
Analysis of the rule’s keyword set suggests the group was focused on highly sensitive intelligence categories, including:
- Military strategy and defense systems
- Geopolitical policy discussions
- Advanced technologies such as artificial intelligence and autonomous systems
- Cybersecurity operations
- Medical and infectious disease research
One unusual keyword related to chikungunya, a mosquito-borne disease that has recently seen outbreaks in southern China, also appeared among the collection targets.
Google’s Response and Mitigation Efforts
Google Threat Intelligence Group stated that it disrupted parts of the campaign infrastructure and notified affected organizations. The attacker-controlled Gmail accounts used for data exfiltration have since been disabled.
Researchers emphasize that this incident demonstrates how cloud-native administrative features can be misused for stealthy espionage operations without deploying traditional malware at the data-exfiltration stage.
Defensive Recommendations
Security experts advise organizations to take immediate steps to reduce exposure:
- Audit and patch externally facing REDCap installations and remove outdated versions
- Monitor for downgrade or legacy version abuse in research platforms
- Review email system rules for unauthorized forwarding or BCC behavior
- Inspect admin audit logs for unexpected rule creation or modification
- Enforce phishing-resistant multi-factor authentication for administrators
Conclusion
The campaign highlights a growing trend in cyberespionage: attackers increasingly rely on legitimate cloud features rather than custom malware to steal sensitive data.
By turning trusted administrative tools into covert exfiltration channels, the UNC6508 group demonstrated how deeply embedded cloud services can be repurposed for stealth intelligence collection—posing significant challenges for traditional detection methods.
