What happened
Google’s Threat Intelligence Group published an analysis of cyberespionage activity carried out by a threat group linked to the Chinese government.
The group is tracked as UNC6508 and is believed to have been active since at least 2023. Google researchers began tracking the group in early 2025, and the group was also mentioned in a Google report published in February.
The UNC6508 campaign observed by Google mainly targeted organizations in North America. The targets included major medical, academic, and military research organizations, including clinical providers, academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies.
The targeted research areas included molecular discovery, clinical drug trials, state-level public health policy, and military readiness.
Google said the attackers regularly target servers hosting REDCap, a web platform used to build and manage clinical research databases and surveys in the medical field. It is unclear how the attackers gained access to REDCap servers, but evidence suggests they may be targeting vulnerable legacy versions.
In one intrusion investigated by Google researchers, the attackers deployed a malware payload named InfiniteRed three months after the initial intrusion.
InfiniteRed is a custom malware payload with dropper, upgrade interception, credential harvesting, backdoor, and command-and-control capabilities. The malware was found on systems belonging to multiple organizations in the United States and Canada.
Google also found that the attackers abused a legitimate feature called content compliance rules to exfiltrate emails related to specific topics. The compliance rules showed that the attackers were targeting entities beyond the medical research community.
UNC6508 also appeared to be seeking intelligence related to national security, artificial intelligence, drones, cyber offensive research, defense technology, naval assets, diplomatic and government entities, and military command units.
The hackers used obfuscation networks, bulk-sourced accounts, legitimate credentials, and operation-specific infrastructure to hide their activity from defenders. Google said it disrupted the threat actor’s infrastructure and notified identified victims.
Who is affected
Medical, academic, and military research organizations in North America are directly affected by UNC6508’s activity.
The campaign targeted organizations involved in clinical care, academic research, military health, professional advocacy, and health regulation. Organizations using REDCap servers to manage clinical research databases and surveys may be especially relevant to the campaign, particularly if they run vulnerable legacy versions.
Entities involved in national security, AI, drones, cyber offensive research, defense technology, naval assets, diplomacy, government activity, and military command may also be affected based on the topics the attackers appeared to target.
Why CISOs should care
This campaign shows how medical and research systems can become targets for state-linked cyberespionage. The attackers were not only targeting traditional government or defense organizations. They also targeted clinical providers, academic centers, health institutions, and research environments tied to medicine, public health policy, and military readiness.
For CISOs, the REDCap targeting is especially important. Research platforms can contain sensitive clinical, trial, survey, and institutional data, but may not always receive the same security attention as core enterprise systems. If legacy versions remain exposed, they may become a path into valuable research environments.
The use of legitimate features and credentials also matters. UNC6508 abused content compliance rules to exfiltrate selected emails and used legitimate credentials, bulk-sourced accounts, obfuscation networks, and operation-specific infrastructure to hide activity. That makes detection harder because the attackers can blend malicious activity into normal administrative or user behavior.
3 practical actions
- Review REDCap exposure and legacy versions: Google said UNC6508 regularly targets REDCap servers and may be targeting vulnerable legacy versions. CISOs should inventory REDCap deployments, confirm version status, restrict internet exposure where possible, and apply available updates or compensating controls.
- Monitor legitimate features for misuse: The attackers abused content compliance rules to exfiltrate emails related to specific topics. Security teams should monitor administrative rules, forwarding logic, compliance configurations, and other legitimate platform features that could be repurposed for selective data theft.
- Strengthen detection for credential-based espionage activity: UNC6508 used legitimate credentials, bulk-sourced accounts, obfuscation networks, and operation-specific infrastructure to hide from defenders. Organizations should monitor unusual login patterns, access from unfamiliar infrastructure, abnormal mailbox or research database access, and credential use inconsistent with normal behavior.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.