Google Uncovers Chinese State-Sponsored UNC6508 Group Lurking in Networks Since 2023
Google Threat Intelligence Group has discovered UNC6508, a previously unknown Chinese state-sponsored espionage group that has been stealing data from US and Canadian government, medical, and military organizations since September 2023.
Google Threat Intelligence Group (GTIG) has uncovered a previously unknown Chinese state-sponsored espionage group, tracked as UNC6508, that has been operating undetected within targeted networks since September 2023. The group targeted organizations in the United States and Canada, including government agencies, academic medical centers, military health institutions, and cybersecurity firms, deploying a custom backdoor called INFINITERED to steal administrative credentials and exfiltrate sensitive data.
The earliest known compromise dates back to September 2023, when UNC6508 breached a medical research university. The attackers stole credentials, communications, and research data, remaining active on the institution's systems until November 2025 when GTIG discovered the intrusion. Google confirmed multiple victims were compromised with INFINITERED, a backdoor deployed after exploiting externally facing REDCap (Research Electronic Data Capture) servers, a survey and database software widely used in the medical research community.
Researchers have not yet determined how UNC6508 gained initial access to the REDCap servers. However, REDCap, originally developed at Vanderbilt University, received multiple patches for critical remote-code execution vulnerabilities throughout 2023, suggesting the group may have exploited unpatched instances. The threat group abused domain compliance rules to steal data, a technique that does not rely on malware or living-off-the-land tools, and routed traffic through U.S.-based IP addresses to blend in with legitimate network activity.
"Given the breadth of the threat actor's intelligence collection criteria and their ability to remain undetected within compromised networks for more than a year, we assess the known victims likely represent only a fraction of a larger campaign," said Patrick Whitsell, senior security engineer at GTIG. "We also assess that this highly capable threat actor will remain active and continue to be a threat to the defense, technology and medical industries for the foreseeable future."
UNC6508 does not currently overlap with any other publicly known Chinese threat groups, according to Google. The group demonstrated advanced capabilities, including the use of custom malware and sophisticated evasion techniques. Google noted that the campaign targeted clinical providers, academic medical centers, and U.S. military health institutions, indicating a broad intelligence collection mandate.
Google took action to disrupt some of UNC6508's known infrastructure by disabling a Gmail account used for data exfiltration. The company also notified affected organizations and assisted with remediation efforts before publishing its research. Whitsell noted that several unconfirmed instances of compromise remain under investigation.
The discovery of UNC6508 mirrors an alarming pattern of Chinese state-sponsored espionage groups operating in stealth for years before detection. These groups, working at the behest of China's government, have been observed dropping backdoors into critical infrastructure to pre-position for potential sabotage, intercept research, and steal data with national security implications. The revelation underscores the persistent and evolving threat posed by Chinese cyber espionage operations targeting Western institutions.
Google's Threat Intelligence Group (GTIG) published a detailed report this week revealing that UNC6508 compromised REDCap research servers at North American medical, academic, and military institutions, then abused Google Workspace content compliance rules to automatically BCC sensitive emails—including those related to AI, military strategy, and even chikungunya research—to an attacker-controlled Gmail address. The campaign, active from September 2023 through November 2025, leveraged a custom backdoor called INFINITERED that persists across REDCap upgrades and harvests credentials from login pages. GTIG notes this is the first observed use of domain-level content compliance rules for email exfiltration by a China-linked actor, and advises defenders to audit Workspace mail rules and remove outdated REDCap versions to prevent downgrade attacks.