A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email.
The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration was the unusual part: the attackers rewired the victims’ own Google Workspace rules to copy any message matching their keywords to an inbox they controlled.
Google’s Threat Intelligence Group (GTIG) laid out the campaign in a report published this week and attributes it with high confidence to a cluster it tracks as UNC6508.
The actor and its REDCap backdoor are not new names; Google first surfaced both in February, in a wider report on state-backed attacks against the defense sector. It did not name the victims, describing them only as multiple organizations across the US and Canada: clinical providers, academic centers, military health institutions, advocacy groups, and health regulators.
Google says it notified them and disrupted the group’s infrastructure.
How they got in
The entry point was REDCap (Research Electronic Data Capture), a web platform that hospitals and universities use to build and manage study databases. UNC6508 compromised externally facing REDCap servers.
Google has not pinned down the initial access vector, named a specific CVE, or listed the affected versions, though it saw the group probing older, vulnerable ones.
Around three months after getting in, the group deployed custom malware GTIG calls INFINITERED, which trojanizes REDCap’s own system files and does three things.
- First, it hijacks the upgrade process so each new REDCap version reinjects the code instead of clearing it.
- Second, it harvests usernames and passwords from the login page and stores them, encrypted, in local database tables.
- Third, it acts as a backdoor, taking commands through HTTP cookies and running on every page load.
The earliest known compromise dates to September 2023, with activity continuing through November 2025. Once on the server, UNC6508 ran internal reconnaissance and credential discovery, pulling database and service account credentials, then used those logins to move into the internal network and on to a domain administrator account.
Google does not spell out the exact path to that admin account. With admin rights, the group set up the exfiltration.
How they stole the email
The exfiltration rode a feature that was already there. UNC6508 abused content compliance rules, a legitimate Google Workspace admin feature that scans mail for keywords and can copy or forward matching messages.
Similar features exist in other cloud mail suites. The group created a rule, misspelled “Patroit,” that watched for nearly 150 keywords, search terms, and email addresses. When a message matched, Workspace silently BCC’d it to an attacker-controlled Gmail address, which Google has since disabled. No malware on the mail server, no separate…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
