PRC UNC6508 ran year-plus espionage through internet-facing REDCap servers and a Google Workspace BCC rule
From CTI Daily Brief — 2026-06-16 · published 2026-06-16 · view item permalink →
Google's Threat Intelligence Group attributes a September 2023 – November 2025 espionage campaign to UNC6508, a PRC-nexus cluster that compromised North American academic, medical and military-health organisations by exploiting externally-facing REDCap (Research Electronic Data Capture) servers, then dropping a bespoke PHP implant tracked as INFINITERED (Google GTIG, 2026-06-15). INFINITERED trojanises REDCap's own upgrade mechanism to survive platform updates, harvests credentials from the REDCap login page, and exposes a cookie-gated backdoor for shell, file, SQL and credential operations (Help Net Security, 2026-06-15). The exfiltration tradecraft is the notable part: after pivoting to a Workspace admin account, the actor created a Google Workspace content-compliance rule named "Patroit" that silently BCC-forwarded any message matching ~150 research/defence keywords to an attacker-controlled Gmail address — abusing a legitimate administrative feature rather than dropping exfiltration malware (T1114.003 Email Forwarding Rule), which evades most DLP that watches for new tooling (SecurityWeek, 2026-06-15). Initial access mapped to T1190; web-shell persistence to T1505.003; admin credential reuse to T1078.
Why it matters to us: REDCap is deployed across Swiss and EU university hospitals, cantonal research bodies and clinical-trial coordinators, and the Workspace BCC-rule technique is tenant-agnostic. Hunt now: Google Workspace admin audit logs for content-compliance/BCC rule creation by non-IT-admin accounts (especially rules with external Gmail recipients), and file-integrity-monitor the REDCap upgrade-staging directory and login handlers — standard web-root scanning misses the upgrade-path implant.