Google Tracks Chinese State-Backed APT UNC6508 Targeting Medical, Military, and AI Research in North America
Google's Threat Intelligence Group reveals Chinese-linked APT UNC6508 has been running a broad cyberespionage campaign since early 2025, targeting medical, military, and AI research organizations across North America.
Google's Threat Intelligence Group (GTIG) has published a detailed analysis of a cyberespionage campaign linked to the Chinese government, attributed to a threat actor tracked as UNC6508. The group has been active since at least 2023 but was first highlighted by Google in a February report, and the newly disclosed campaign specifically targets high-value research sectors in North America.
UNC6508's primary targets include major medical, academic, and military research organizations. "These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies," Google's researchers explained. The hackers are focused on stealing intellectual property and credentials, with a particular emphasis on REDCap, a web platform widely used to manage clinical research databases and surveys in the medical field.
Google noted that the method by which attackers gained access to REDCap servers remains unclear, but evidence suggests they may be exploiting vulnerable legacy versions of the platform. In one investigated intrusion, the attackers deployed a custom malware payload called InfiniteRed three months after initial compromise. InfiniteRed is a sophisticated tool that provides dropper, upgrade interception, credential harvesting, backdoor, and command-and-control (C&C) capabilities, and was found on systems across the US and Canada.
The campaign's intelligence objectives extend far beyond medical research. Google's analysis revealed that the attackers abused a legitimate REDCap feature—content compliance rules—to exfiltrate emails related to specific topics. The rules indicated targeting of entities in national security, AI, drones, cyber offensive research, defense technology, naval assets, diplomatic and government bodies, and military command units. The hackers used obfuscation networks, bulk-sourced accounts, legitimate credentials, and operation-specific infrastructure to evade detection.
Google stated it has disrupted the threat actor's infrastructure and notified identified victims. The company has also released technical details and indicators of compromise (IoCs) to help defenders detect and counter UNC6508's operations. The campaign underscores the persistent and expanding efforts of Chinese state-sponsored groups to steal sensitive research and intellectual property from North American institutions vital to national security.
This latest disclosure follows a series of warnings about Chinese cyber activities, including a joint Five Eyes advisory warning of Chinese intelligence operatives posing as recruiters to target government and military staff, and the ongoing JDY botnet campaign targeting U.S. military networks. UNC6508's focus on REDCap and its use of custom, delayed-deployment malware highlight a calculated, patient approach to espionage, aiming to establish prolonged access to the highest-value data.
New reporting from BleepingComputer provides granular details on one specific victim: a North American medical institution whose REDCap servers were compromised by UNC6508 using the custom 'InfiniteRed' malware. The attackers remained undetected for over a year, from September 2023 to November 2025, and exfiltrated sensitive medical research data via a novel technique—abusing the legitimate 'content compliance rules' feature in cloud-based enterprise productivity tools to automatically email stolen data to an attacker-controlled Gmail address. Google has since disabled the exfiltration account and shared YARA rules and IoCs to help defenders detect InfiniteRed infections.
The Register report adds that the earliest known intrusion dates back to September 2023, when UNC6508 compromised a REDCap server at a North American medical research institution. The attackers deployed custom malware named InfiniteRed to capture credentials, then created a Google Workspace content compliance rule misspelled as "Patroit" to silently BCC-forward emails matching keywords—including searches for drone technology and Chikungunya virus data—to an attacker-controlled Gmail account. Google confirmed it disabled the exfiltration account and notified victims, but suspects additional compromises remain undetected.
Mandiant's detailed technical report, published June 15, 2026, reveals the campaign has been active since September 2023 — far earlier than initially thought — and provides the full attack chain: UNC6508 exploited unpatched REDCap servers, deployed custom INFINITERED malware to capture credentials, and then manipulated Google Workspace content compliance rules to silently BCC-forward sensitive emails to attacker-controlled accounts. The report, produced by Google's Threat Intelligence Group in collaboration with Mandiant Consulting and the FLARE team, also includes specific YARA rules and indicators of compromise for detecting INFINITERED on REDCap servers.
Google's Dark Reading report adds that the campaign began as early as September 2023—not early 2025 as previously thought—and relied on custom Infinitered malware to steal REDCap credentials from a single US medical university with military ties. The attackers used a novel data-exfiltration technique that manipulates domain content-compliance rules to forward emails matching strategic keywords to a threat actor-controlled account, avoiding traditional endpoint and network security controls. Google and Mandiant have since disrupted the malicious infrastructure and notified affected organizations.