A new report from **Google's Threat Intelligence Group (GTIG)** details a persistent espionage campaign attributed to **UNC6508**, a state-backed actor operating with high confidence from China. The group maintained a hidden presence within critical North American research institutions, systematically pilfering sensitive information. **UNC6508**'s targets included clinical providers, academic centers, military health institutions, advocacy groups, and health regulators across the US and Canada. **Google** has since notified affected organizations and disrupted the group's infrastructure.  ## Initial Access via REDCap Servers The primary entry point for **UNC6508** was **REDCap** (Research Electronic Data Capture) servers. **REDCap** is a widely used web platform by hospitals and universities for building and managing study databases. The attackers compromised externally facing **REDCap** instances, though the specific initial access vector or **CVE** has not been publicly identified by **Google**, beyond observations of the group probing older, vulnerable versions. Approximately three months after initial compromise, **UNC6508** deployed custom malware dubbed **INFINITERED**. This sophisticated malware trojanizes **REDCap**'s own system files to achieve three key objectives: * **Persistence:** It hijacks the upgrade process, ensuring that new **REDCap** versions reinject the malicious code rather than removing it. * **Credential Harvesting:** It actively collects usernames and passwords from the login page, storing them encrypted in local database tables. * **Backdoor Functionality:** It operates as a backdoor, accepting commands via HTTP cookies and executing on every page load.  The earliest known compromise dates back to September 2023, with activity continuing until November 2025. Once inside, **UNC6508** conducted internal reconnaissance and credential discovery, escalating privileges to obtain domain administrator access. ## Covert Email Exfiltration via Google Workspace Rules The most innovative aspect of this campaign was the email exfiltration method. Instead of deploying additional malware on mail servers or using custom tools, **UNC6508** leveraged a legitimate **Google Workspace** feature: content compliance rules. These rules, designed for administrative purposes like data loss prevention, allow administrators to scan emails for keywords and copy or forward matching messages.  With domain administrator access, the group created a rule (notably misspelled as "Patroit") that monitored for nearly 150 keywords, search terms, and email addresses. When an email matched these criteria, **Workspace** silently BCC'd a copy to an attacker-controlled **Gmail** address, which **Google** has since disabled. This method allowed for discreet exfiltration without triggering unusual network traffic or requiring additional malware, effectively turning a built-in feature into a covert data siphon. While **MITRE** already documents email-forwarding-rule abuse (**T1114.003**) as a known technique, **GTIG** highlights the use of domain content compliance rules for this purpose as a novel tactic for a China-linked actor. The keywords used in the rule revealed **UNC6508**'s collection priorities, including geo-strategic policy, military strategy and equipment, advanced technologies like AI and uncrewed vehicles, offensive cyber programs, and medical research. A particularly specific term, **chikungunya**, pointed to a 2025 outbreak of the mosquito-borne virus in China's Guangdong province, indicating targeted intelligence gathering. ## Recommendations for Defense Organizations should take immediate action to mitigate similar threats: * **REDCap Security:** Ensure all externally facing **REDCap** servers are fully patched. Crucially, remove older, vulnerable versions entirely, rather than allowing them to run alongside current builds, which can enable downgrade attacks. * **Mail System Audits:** Regularly review **Google Workspace** (or equivalent cloud mail suite) content compliance and mail-forwarding rules. Scrutinize any rules that BCC or reroute emails to external addresses. Examine administrator audit logs for changes to these rules, not just their current configuration. * **Threat Hunting:** Utilize **GTIG**'s published indicators of compromise to hunt for traces of **INFINITERED** within your network. * **MFA for Administrators:** Implement phishing-resistant Multi-Factor Authentication (MFA) for all administrator accounts. The entire email exfiltration phase hinged on the attackers gaining administrator access. This campaign underscores the evolving tactics of state-sponsored actors, who are increasingly leveraging legitimate cloud features for covert operations. Defenders must focus not only on traditional backdoors but also on auditing built-in system functionalities that can be weaponized with administrative privileges.