A China-linked cyber espionage group targeted vulnerable REDCap servers at a North American medical research institution, deploying custom malware and stealing sensitive data over a period of more than a year, according to researchers from Google Threat Intelligence Group (GTIG).
The activity has been attributed to a threat actor known as UNC6508. GTIG believes the attackers first compromised the organization in September 2023 after probing outdated REDCap installations. The intrusion remained undetected until November 2025.
Three months after gaining access, the attackers deployed a custom malware framework called InfiniteRed, designed specifically for REDCap environments. To avoid detection, malware components were hidden inside modified system files on the server.
InfiniteRed includes three modules: a persistence and update component, a credential harvester, and a backdoor. The credential harvester captures usernames and passwords entered on REDCap login pages, encrypts them, and stores them in REDCap database tables. The backdoor receives commands through HTTP cookies, allowing attackers to execute shell commands, run SQL queries, and retrieve stolen credentials.
UNC6508 also used an unusual for Chinese threat actors data exfiltration method involving content compliance rules available in enterprise productivity platforms. After obtaining administrator privileges, the attackers created a rule named “Patroit” that searched organizational data for keywords related to medical research, advanced technology, military topics, and geopolitical policy. Matching content was automatically forwarded via blind carbon copy (BCC) to a Gmail account controlled by the attackers.
The group used operational security practices that involved US-based residential proxies, compromised routers, virtual private servers (VPS), credential replay techniques, and dedicated infrastructure for data theft.
Google recommends that organizations upgrade REDCap to the latest version, remove legacy deployments, enable multi-factor authentication (MFA) on privileged accounts, and implement Device Bound Session Credentials (DBSC) to reduce the risk of session hijacking.
In an unrelated case, the FBI together with Google and Black Lotus Labs has dismantled Outsider Enterprise, a large-scale Chinese phishing-as-a-service operation that used AI-powered phishing kits and thousands of fake websites to steal credit card information and passwords. Active since at least 2023, the group impersonated trusted brands through text message campaigns delivered via AT&T, T-Mobile, and Verizon networks.
The operation was linked to over 9,000 phishing websites and more than one million fraudulent URLs, with estimated losses of $1.9 billion and over 3.8 million stolen credit card records. Authorities seized key infrastructure, including administration servers, payment wallets containing about $100,000 in USDT, and phishing-related online services. In addition, Google has filed a civil lawsuit and is working with telecom providers to block phishing messages before they reach users.