Chinese Spies Lurked in U.S. Medical Labs for Over a Year, Stealing Biotech and Defense Secrets

Google revealed that PRC-linked hackers from UNC6508 lurked undetected for over a year in U.S. and Canadian medical research networks. They deployed InfiniteRed malware via REDCap servers to steal data on diseases, drones and defense research. The campaign highlights persistent gaps in biomedical cybersecurity.
Chinese Spies Lurked in U.S. Medical Labs for Over a Year, Stealing Biotech and Defense Secrets
Written by Victoria Mossi

Chinese state-linked hackers spent more than a year inside networks of American and Canadian medical research organizations. They siphoned sensitive data on emerging diseases, drone technology and military readiness. The operation, uncovered this week, exposes fresh weaknesses in the very institutions racing to develop tomorrow’s treatments and tools.

Google’s Threat Intelligence Group detailed the campaign on June 15, 2026. The group tracks the activity under the name UNC6508, a PRC-nexus espionage actor with a history of hitting defense and technology targets. Google Cloud Blog laid out the tactics in plain terms. The intruders focused on public and private medical entities. These ranged from clinical providers and academic centers to military health institutions, advocacy groups and regulatory bodies.

Earliest known breach dates to September 2023. The hackers zeroed in on externally facing REDCap servers. REDCap serves as a widely used platform for building clinical research databases and surveys. Once inside, they waited. Three months later they deployed custom malware called InfiniteRed. This tool acted as dropper, credential harvester and backdoor all at once. It trojanized legitimate REDCap files, intercepted software upgrades and maintained persistence even after patches.

From there the intruders pivoted. They gained domain administrator access. Then they created a content compliance rule named “Patriot” — note the misspelling. The rule automatically forwarded emails containing keywords of interest via blind carbon copy to an attacker-controlled Gmail account, [email protected]. Simple. Effective. And it let them read messages without triggering obvious alerts.

Search terms harvested from the operation paint a clear picture of priorities. Drone technology. Chikungunya, the mosquito-borne viral disease. References to Indo-Pacific military commands. Defense contractor email patterns. The list reads like a grocery list for any nation seeking an edge in biotechnology, artificial intelligence and uncrewed systems. Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, noted the breadth in comments reported by The Register. “They were scanning for data to steal,” he said. The terms spanned national security, foreign policy and specific pathogens.

Multiple organizations fell victim. Google declined to name them or disclose exact numbers. It did notify every one it identified and offered incident response help. Some sat compromised for well over a year. Detection came only in early 2025 for certain cases. The delay speaks volumes about the stealth involved. InfiniteRed hid its tracks by injecting into application sessions, using specific database prefixes like “xc32038474a” and responding only to specially crafted REDCAP-TOKEN cookies.

This isn’t an isolated incident. It fits a larger pattern of Chinese espionage against U.S. research. Federal investigators have long warned about talent recruitment programs that pull American scientists into Beijing’s orbit. A 2025 report from the National Counterintelligence and Security Center highlighted how China exploits genetics, medicine and AI research. It cited one case in which a U.S. professor unwittingly shared genetic data later used by Chinese authorities to profile and surveil Uyghur populations. The Safeguarding Academia report from August 2025 pulled no punches.

Recent cases add urgency. In 2025 a University of Texas researcher faced charges for allegedly downloading 90 gigabytes of unpublished cancer research data to a Chinese cloud server. Ties to Chongqing Medical University and Chinese government funding emerged during the probe, according to Texas Policy Foundation analysis. Such incidents blend cyber intrusion with human intelligence. They accelerate China’s drive to dominate biotechnology. Beijing aims for a $3.3 trillion bioeconomy, according to the 2025 Annual Threat Assessment from the Director of National Intelligence.

Yet the UNC6508 campaign stands out for its patience and technical craft. The actors operated through obfuscated networks, compromised routers and virtual private servers based in the U.S. They created fresh Gmail accounts in bulk for exfiltration. Operational security appeared tight. Even so, Google managed to disrupt parts of the infrastructure. It shared indicators of compromise with the community, including specific SHA-256 hashes, IP addresses like 23.169.65.49 and a unique GUID used in the dropper: b49e334d-9c01-463e-9bc5-00a6920fb66e.

Recommendations from Google read like a checklist many research institutions have ignored for too long. Enforce two-step verification on all administrator accounts. Adopt advanced protection programs. Implement domain-based controls for secure email. Audit mailbox rules religiously. Deploy data loss prevention filters tuned to sensitive keywords. And yes, patch REDCap instances immediately. The YARA rules Google published should help defenders hunt for remnants.

But technical fixes only go so far. The deeper problem lies in the strategic value of medical data. Research into molecular discovery feeds directly into pharmaceutical pipelines worth billions. Military health studies inform readiness for future conflicts. AI applied to diagnostics or pathogen modeling carries dual-use implications. When one nation’s labs feed another’s military modernization, the consequences stretch beyond lost revenue.

U.S. officials have responded with visa restrictions, funding controls and closer scrutiny of academic partnerships. More than 500 American universities have collaborated with Chinese military-linked researchers in recent years, a Strider Technologies study found in late 2025. The Senate Homeland Security Committee produced detailed reports on talent plans that siphon knowledge across every state. Still, enforcement lags. Hospitals run on thin margins. Research labs prioritize discovery over cybersecurity. Adversaries count on exactly that.

And the campaign continues to evolve. Google has tracked UNC6508 since at least 2023 in connection with defense industrial base threats. Related activity shows the same actors probing supply chain partners and edge devices. InfiniteRed itself demonstrates growing sophistication in living-off-the-land techniques mixed with bespoke code. Credential theft via web application hooks. Backdoors that survive upgrades. Command execution through SQL queries against research databases.

So what now? Medical institutions cannot treat cyber defense as an afterthought. Government agencies must accelerate information sharing without compromising sources. Universities need clearer rules on foreign collaborations that protect innovation while preserving open science. The stakes involve more than intellectual property. They touch public health, national preparedness and technological leadership.

Chinese espionage in this sector shows no signs of slowing. Recent coverage from SecurityWeek, published hours after Google’s disclosure, confirms the focus remains North American targets in medicine, academia and defense research. The intruders aren’t simply collecting data. They embed, persist and extract over months. Detection often comes too late.

The UNC6508 operation should serve as a wake-up call. American medical research built the foundations for countless breakthroughs. Protecting that foundation demands vigilance at every layer, from server patches to policy reform. Anything less hands strategic advantage to competitors who play by different rules.

Subscribe for Updates

ChinaRevolutionUpdate Newsletter

The ChinaRevolutionUpdate Email Newsletter focuses on the latest technological innovations in China. It’s your go-to resource for understanding China's growing impact on global business and tech.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us