I read the GTIG threat intelligence report this week: UNC6508, attributed to the People’s Republic of China, spent more than 26 months inside North American medical research networks. The campaign ran from September 2023 through at least November 2025. Entry point: vulnerable legacy versions of REDCap, the web-based platform used across North American academic medical centers for clinical and research data collection.
The initial foothold was a web shell named help.php planted inside the REDCap application directory. Three months later, UNC6508 deployed INFINITERED: a custom malware that trojanized legitimate REDCap system files. Three components: a dropper that hijacks software upgrade packages to persist through patching, a credential harvester that captured usernames and passwords from REDCap login pages and stored them in REDCap’s own sessions table, and a backdoor that received commands via HTTP cookies. Patching didn’t help once it was installed.
Over a year into the compromise, UNC6508 used those harvested credentials to reach a domain administrator account. Then the group deployed a T1114.003 email forwarding rule named “Patroit” (the spelling is theirs) that silently forwarded matching emails to BebitaBarefoot774@gmail.com. GTIG cited keyword targets including geo-strategic policy, military strategy, advanced technology, and medical research. Typos throughout the rule suggest it was maintained manually, not programmatically.
GTIG cited this as the first observed use of email content compliance rules as an exfiltration channel by a PRC-nexus actor. That’s the structural shift: instead of staging exfiltration through dedicated infrastructure, UNC6508 embedded collection inside the target’s own email platform. Google disrupted the infrastructure and notified affected organizations in the United States and Canada.
REDCap administrators should upgrade to the latest version and remove all legacy installations now. Worth auditing your content compliance rules this quarter, too.
— Rebecca Lauren