China-linked UNC6508 deploys InfiniteRed malware on exposed REDCap servers

A China-linked espionage operation compromised exposed REDCap servers at a North American medical institution, installing custom InfiniteRed malware and remaining undetected for over a year.

Google Threat Intelligence Group attributes activity to UNC6508. Investigators tied the intrusions to the threat actor known as UNC6508. The group first scanned for outdated, vulnerable REDCap releases before breaching the research organization in September 2023, with operations continuing until November 2025.

Three months after gaining initial access, the intruders installed InfiniteRed, a tool built exclusively for REDCap environments. The malware trojanizes legitimate system files to conceal its presence.

InfiniteRed includes persistence, credential theft, and backdoor modules. Its login harvester records usernames and passwords entered on REDCap authentication pages, then encrypts and saves them inside local database tables for later collection. The backdoor accepts instructions through HTTP cookies and supports running shell commands, uploading or downloading files, executing arbitrary SQL queries, fetching stored credentials, erasing those records, and reporting system and database details.

UNC6508 exfiltrates data through legitimate content compliance rules. After obtaining administrator privileges, the actors created a rule called “Patriot” inside cloud-based enterprise productivity suites. This rule searched for keywords tied to medical research, advanced technology, military subjects, and geo-strategic policy, automatically forwarding matches as blind carbon copies to the now-disabled address ‘BebitaBarefoot774@gmail.com.’ GTIG described the technique as novel among China-linked groups. The campaign maintained strong operational security by routing activity through US-based residential proxies, compromised routers, VPS servers, credential replay, and purpose-built exfiltration infrastructure.

Google warned compromised entities across the US and Canada. The firm notified multiple affected organizations whose work covers molecular discovery, clinical drug trials, state-level public health policy, and military readiness. The report supplies YARA rules and indicators of compromise for detecting InfiniteRed infections.