Key Takeaways
- A China‑linked espionage cluster (UNC6508) exploited a backdoor in REDCap research servers to harvest credentials and move laterally into victim networks.
- After gaining domain‑admin rights, the attackers abused a legitimate Google Workspace Content Compliance rule to silently BCC‑copy emails matching ~150 keywords to an attacker‑controlled Gmail address.
- The exfiltration relied on a built‑in cloud feature, requiring no additional malware or unusual network traffic, making detection difficult.
- Indicators of compromise include unexpected Content Compliance or mail‑forwarding rules, admin‑level credential access, and the presence of the INFINITERED trojan in REDCap installations.
- Defenders should patch externally facing REDCap servers, retire old versions, audit Workspace mail rules and audit logs, enforce phishing‑resistant MFA on admin accounts, and hunt for GTIC‑published indicators.
Background and Attribution
Google’s Threat Intelligence Group (GTIG) disclosed a prolonged espionage campaign that infiltrated medical, academic, and military research networks across the United States and Canada for more than a year. The activity, tracked with high confidence to a China‑linked group designated UNC6508, began as early as September 2023 and persisted through November 2025. While the victims were not named, GTIG described them as clinical providers, academic centers, military health institutions, advocacy groups, and health regulators. Google notified the affected organizations and disrupted the attacker’s infrastructure after uncovering the operation.
Initial Compromise via REDCap
The attackers’ entry point was REDCap (Research Electronic Data Capture), a widely used web platform for building and managing study databases in hospitals and universities. UNC6508 compromised externally facing REDCap servers, although GTIG did not specify the exact initial‑access vector, a specific CVE, or the vulnerable versions involved. Observations indicated the group probed older, susceptible REDCap installations, suggesting they exploited known weaknesses in outdated deployments.
Deployment of the INFINITERED Trojan
Approximately three months after gaining foothold, the threat actors installed a custom malware dubbed INFINITERED by GTIG. This trojan hijacks REDCap’s own upgrade process so that each new version reinjects the malicious code instead of removing it. INFINITERED also harvests usernames and passwords from the login page, storing them encrypted in local database tables, and functions as a persistent backdoor that accepts commands via HTTP cookies and executes on every page load. By trojanizing the upgrade mechanism, the attackers ensured their presence survived routine software updates.
Lateral Movement and Privilege Escalation
Once INFINITERED was active, UNC6508 conducted internal reconnaissance, extracting database and service‑account credentials. Using these harvested credentials, the group moved laterally within the victim’s internal network and eventually attained a domain‑administrator account. GTIG did not detail the precise steps taken to reach admin rights, but the possession of such privileges was critical for the subsequent exfiltration phase. With admin access, the attackers could manipulate cloud‑service configurations that ordinary users could not alter.
Abusing Google Workspace Content Compliance for Exfiltration
Rather than deploying separate exfiltration malware, the attackers leveraged a legitimate Google Workspace feature: Content Compliance rules. These rules allow administrators to scan incoming or outgoing mail for specific keywords and automatically copy, forward, or BCC matching messages. UNC6508 created a rule—deliberately misspelled as “Patroit”—that watched for nearly 150 keywords, search terms, and email addresses tied to geo‑strategic policy, military strategy, advanced technology (including AI and uncrewed vehicles), offensive cyber programs, and medical research. Notably, one keyword was “chikungunya,” referencing a 2025 outbreak in China’s Guangdong province.
When an email matched any of these criteria, Google Workspace silently BCC’d the message to an attacker‑controlled Gmail address. The rule required no additional malware on the mail server, generated no unusual network traffic, and relied entirely on a built‑in admin function, making the exfiltration blend with normal administrative activity. Google has since disabled the malicious Gmail account.
Novelty and Relation to Known Techniques
While email‑forwarding‑rule abuse is documented in the MITRE ATT&CK framework (e.g., T1114.003), GTIG highlighted that using domain‑level Content Compliance rules for covert exfiltration had not previously been observed from a China‑linked actor. This method expands the attacker’s toolkit beyond traditional mail‑forwarding abuse, demonstrating an evolution in how threat actors exploit legitimate cloud‑service features for stealthy data theft.
Detection and Mitigation Recommendations
Defenders should begin with the REDCap vector: patch all externally facing REDCap servers immediately and retire older versions entirely, as REDCap permits legacy releases to run side‑by‑side, enabling downgrade attacks that reinstate known vulnerabilities.
On the mail side, administrators must audit Google Workspace (or equivalent) Content Compliance and mail‑forwarding rules for any entries that BCC or redirect messages to external addresses. Reviewing admin audit logs to pinpoint when such rules were created or altered is essential, as attackers may have left benign‑looking rules in place.
Organizations should also hunt for the INFINITERED trojan using GTIG’s published indicators of compromise, looking for unexpected modifications to REDCap system files or anomalous cookie‑based command execution. Finally, enforce phishing‑resistant multi‑factor authentication (MFA) on all administrator accounts, since the entire email‑theft chain depended on achieving domain‑admin privileges.
Conclusion
The UNC6508 campaign illustrates how a seemingly innocuous misconfiguration—here, a legitimate cloud‑mail rule—can become a powerful exfiltration channel once attackers achieve administrative access. By chaining a REDCap backdoor with credential harvesting and abuse of Workspace’s native compliance features, the group maintained a low‑profile, long‑term presence while siphoning sensitive research and defense communications. Vigilant patching, rigorous mail‑rule auditing, thorough credential protection, and proactive hunting for known indicators are crucial steps to defend against similar future incursions.