Google researchers uncovered a persistent espionage operation that slipped past defenses at universities, hospitals and military health organizations across the United States and Canada. The campaign, attributed to a China-linked group known as UNC6508, ran from September 2023 until November 2025. It focused on stealing sensitive data tied to national security, artificial intelligence, uncrewed vehicles, cyber programs and medical studies.
The intruders did not rely on flashy zero-days for their entire stay. They started by targeting externally facing servers running REDCap, the widely used platform for managing clinical trials, surveys and research databases. Google Threat Intelligence Group observed the group probing older, vulnerable versions of the software. Once inside, they planted a simple web shell called help.php. Three months later they deployed custom malware.
That malware, tracked as INFINITERED, proved clever in its design. It trojanized legitimate REDCap system files. It acted as a recursive dropper that waited for software upgrades. When an update arrived, INFINITERED intercepted the process, injected itself into the new version and maintained control. Credential harvesting came next. The code captured usernames and passwords from login forms, encrypted them and tucked the data into hidden tables in the REDCap database.
A backdoor component listened for special HTTP cookies. Administrators loading any page on the compromised server triggered it. The cookie carried commands. The backdoor could run shell commands, execute SQL queries, upload or download files, or simply beacon system details back to its operators. Persistence survived upgrades. The technique turned the very update process meant to improve security into a reliable lifeline.
Yet the most striking element came after the intruders moved deeper. They used stolen credentials to reach domain administrator accounts. From there they turned to a legitimate Google Workspace feature. They created a content compliance rule named “Patriot” — misspelled in the interface. The rule scanned incoming and outgoing messages for nearly 150 keywords and patterns. Matches were silently BCC’d to an attacker-controlled Gmail account: [email protected].
Those keywords painted a clear picture of intent. They covered geo-strategic policy, military strategy in the Indo-Pacific, artificial intelligence, uncrewed vehicle systems, offensive cyber capabilities and specific medical research topics. One term stood out. Chikungunya. The word referred to a mosquito-borne virus that saw an outbreak in Guangdong, China, in 2025. Its presence suggested the operators tracked both defense developments and select health threats.
Novel. That’s how Google described the abuse of compliance rules for data theft. The method generated no unusual network traffic from the victim’s perspective. No malware sat on the email servers. The organization’s own productivity suite did the work. And because the rule operated at the domain level, most users never noticed.
UNC6508 showed discipline in hiding its tracks. It routed activity through compromised routers, residential proxies and virtual private servers based in the United States. Operators created dedicated infrastructure for the exfiltration Gmail account. They mass-produced accounts through a service when needed. High operational security complicated attribution and detection. Google assessed the activity aligned with longstanding Chinese state intelligence priorities.
The victims included world-renowned clinical providers, premier academic centers, military health institutions, professional advocacy groups and health regulatory bodies. Their combined research budgets reached billions of dollars. The data they held spanned molecular discovery, clinical drug trials, public health policy and military readiness. One medical research organization alone hosted studies on topics that matched the group’s collection list exactly.
Google’s team, working with Mandiant Consulting and internal FLARE and Workspace security units, eventually disrupted the operation. They notified the affected organizations. They disabled the exfiltration Gmail account. Updates to Google Security Operations now help defenders hunt for similar indicators. The company also published indicators of compromise, including file hashes for the web shell, credential harvester, backdoor components and dropper. A VirusTotal collection gathers them in one place.
Security teams at research institutions now face uncomfortable questions. REDCap servers often sit exposed to the internet because researchers need easy collaboration. Many organizations run legacy versions alongside current releases, opening the door to downgrade attacks. Credentials reused between research platforms and enterprise email create easy lateral movement paths. Admin accounts without phishing-resistant multifactor authentication remain prime targets.
But the Google Workspace abuse raises broader issues for any enterprise that uses cloud productivity tools. Compliance rules exist to enforce data loss prevention and regulatory requirements. Here they became an exfiltration channel. Administrators rarely scrutinize every rule created by someone with domain rights. Audit logs record changes, yet spotting a single misspelled rule among hundreds demands deliberate review.
Earlier Google reporting had surfaced UNC6508 in February 2026 in connection with defense sector attacks that also used the INFINITERED payload on REDCap. The Hacker News noted the overlap and provided additional technical breakdowns of how the malware hijacks upgrades and stores harvested credentials. BleepingComputer highlighted the group’s probing of vulnerable REDCap versions and the specific medical research focus at one North American institution.
Recent coverage echoes the same findings. SecurityWeek reported that Google began tracking UNC6508 in early 2025 even though activity dated back to 2023. The group concentrated on organizations with deep expertise in drug discovery through military applications. Reuters, carried by outlets including The Straits Times, stressed the campaign’s duration and the range of stolen material from defense intelligence to AI models.
Chinese officials have denied involvement, as they routinely do in such cases. The technical evidence Google presented — infrastructure overlaps, consistent malware use, precise targeting and operational patterns — supports the attribution to a PRC-nexus actor. UNC6508 appears to be a relatively new cluster, yet its work fits established patterns of Chinese espionage against research organizations.
Research institutions hold dual value. Their medical studies advance treatments. Their military-adjacent projects inform strategy on everything from autonomous systems to cyber weapons. Beijing has long sought advantages in these fields. This campaign shows how patient operators can exploit common tools and trusted platforms to gather that information without triggering alarms for more than two years.
Defenders cannot simply patch one vulnerability and declare victory. They must examine exposed research applications, enforce strict credential hygiene, review cloud admin actions with fresh eyes and monitor for anomalous rules in their productivity suites. The intruders turned the victim’s own systems against them. That tactic will likely appear again.


WebProNews is an iEntry Publication