SYS::ONLINE
Wasteland.
Briefs914
Issues15
SinceFeb 2026
LIVE
▣ Breach CHINESE-HACKERS-RE 2026-06-15

North American Research Institutions: UNC6508 REDCap Espionage

"A China-linked cyber espionage group tracked as UNC6508 breached multiple North American medical research institutions by compromising their REDCap survey and database servers, according to Google's Threat Intelligence…"

A China-linked cyber espionage group tracked as UNC6508 breached multiple North American medical research institutions by compromising their REDCap survey and database servers, according to Google's Threat Intelligence Group (GTIG). The operation began in September 2023 and continued through at least November 2025, leaving the actor undetected inside victim environments for more than a year while it harvested credentials, monitored email, and exfiltrated sensitive medical research data.

What Happened

GTIG attributed the campaign to UNC6508, a threat actor linked to the People's Republic of China. The group targeted REDCap, a web-based platform widely used across the North American medical research community to build and manage online databases and surveys in compliance with regulations governing medical and scientific research.

After establishing a foothold on victim REDCap servers, UNC6508 conducted internal reconnaissance and credential discovery to obtain database and service account credentials. The actor deployed a web shell named "help.php" that maintained persistence and doubled as a file uploader inside the REDCap application.

Three months after the initial compromise, UNC6508 deployed a custom malware payload that GTIG tracks as INFINITERED. The malware was built from three modular components that operated by trojanizing legitimate REDCap system files: a dropper that intercepts REDCap software upgrades, a credential harvester that captures usernames and passwords entered into the application, and a backdoor providing command-and-control functionality.

What Was Taken

The campaign was engineered for long-term collection of sensitive information. The credential harvester captured usernames and passwords submitted through REDCap login pages and stored them in the REDCap sessions table for later retrieval by the attacker.

The backdoor gave UNC6508 broad access to victim data. It received commands through HTTP cookies and allowed the actor to execute shell commands, upload and download files, run arbitrary SQL queries, retrieve stolen credentials, delete harvested credential records, and collect system and database information. More than a year after the initial compromise, UNC6508 used harvested credentials to expand its access and monitor email for sensitive information, consistent with an espionage mission focused on medical and scientific research data.

Why It Matters

This campaign demonstrates a patient, deeply embedded espionage operation against the research sector rather than a smash-and-grab data theft. By trojanizing legitimate REDCap files and hijacking the platform's own upgrade mechanism, UNC6508 ensured that malicious code would survive routine software updates, defeating one of the most common remediation reflexes defenders rely on.

Medical and scientific research institutions hold high-value intellectual property, clinical study data, and personally sensitive health information, making them attractive targets for state-aligned actors. The fact that the group remained undetected for over a year shows how research-focused organizations, which often run specialized legacy web applications, can present durable blind spots for security teams.

The Attack Technique

Google said it was unable to determine how UNC6508 initially gained access to the REDCap servers, though the group was observed probing vulnerable legacy versions of the platform on several target systems, suggesting exploitation of outdated, unpatched deployments.

Once inside, the actor's tradecraft centered on blending into the application. The upgrade interception component monitored for REDCap upgrades and injected malicious code into future versions of the software, guaranteeing persistence across patch cycles. The credential harvester quietly captured logins at the application layer and stashed them in a legitimate database table, while the cookie-driven backdoor allowed operators to interact with the compromised server using traffic that resembled normal web requests.

What Organizations Should Do

  1. Inventory all REDCap deployments and immediately upgrade any legacy or unpatched versions to the latest supported release, treating internet-facing research applications as high-priority assets.
  2. Hunt for indicators of compromise, including the "help.php" web shell, unexpected modifications to legitimate REDCap system files, and anomalous entries in the REDCap sessions table that may indicate harvested credentials.
  3. Verify the integrity of REDCap files after every upgrade, since INFINITERED was designed to reinject itself into new versions; compare installed files against known-good vendor hashes.
  4. Rotate all database, service account, and user credentials associated with REDCap servers, and enforce multi-factor authentication on administrative and email accounts to limit lateral movement.
  5. Monitor for backdoor activity such as unusual HTTP cookie patterns, unexpected SQL queries, and outbound connections from research database servers.
  6. Audit email access and review for unauthorized monitoring or forwarding rules, given that UNC6508 leveraged stolen credentials to surveil email more than a year into the intrusion.

Sources: Chinese hackers breached North American research institutions via REDCap servers - Help Net Security